FIVE  STEPS  TO  ENTERPRISE  RISK  MANAGEMENT  LEADERSHIP  Rageeo 


HOWTO 
SAVE  THE 
INTERNET 

Big  thoughts  from  big 
thinkers  on  howto  make 
the  Net  more  secure  page 


THE  HIGHER 

POWER  OF 

I.T.  GOVERNANCE 

How  State  Street 
made  a  $1.5  billion 

acquisition  payoff  Page  82 


THE  RESOURCE  FOR  INFORMATION  EXECUTIVES 


Hardee  s 

.ftfcaU 

5  LW\onster 


HP  ProLiant  BL30p  server  blades 


To  read  IDC’s  Adapting  to  Change:  Blade  Systems  Move  into  the  Mainstream,  visit  hp.com/go/bladesmagl9 


m 


When  everything  works  together, 
everything  changes  together. 

HP  BladeSystem  servers  allow  you  to  integrate  your  systems  with 
ease  for  unexpected  growth  and  unforeseen  business  demands. 
Powered  by  Intel®  Xeon™  Processors,  these  innovative  servers 
adapt  to  change  in  a  seamless  modular  fashion,  creating  new 
operational  efficiencies  to  dramatically  upgrade  your  enterprise 
And  that  changes,  well,  everything. 


,  |§||y - - 

/■  .  i. 

?  ,  :i 


■ 

•  .  .  •- 

e-t- .  •;**£*» 

'W- 


Solutions  for  the 


9 


’ 


J,  .  ■  ..  . 


ibm.com/ondemand 


Add  a  server  here.  Upgrade  a  storage  solution  there.  Throw  in  a 
database.  And  before  you  know  it,  the  IT  system  that  was  once  your 
pride  and  joy  has  become  an  albatross.  A  complex,  hard-to-manage 
albatross  that’s  holding  your  company  ransom.  Time  for  change. 

WE  JUST  BOUGHT  IT.  NO  WAY  WE’RE  REPLACING  IT.” 

We’re  with  you.  Another  huge  capital  investment  is  not  the  answer. 

Integration  is.  You  have  the  strategies  and  the  systems.  You  just  need 
to  get  your  business  priorities  and  your  technology  aligned.  Cue  IBM 
and  On  Demand  Business.  Well  help  you  get  more  from  what  you’ve 
got.  By  linking  departments,  connecting  processes  and  simplifying, 

end  to  end  “GREAT.  BUT  i  CAN’T  START  EVERYWHERE” 

You  don’t  need  to.  Integration  is  not  an  all-or-nothing  thing.  Small 
changes  can  reap  huge  rewards.  And  our  experience  and  expertise 
can  help  identify  them.  We  understand  the  procedures  that  make  your 
business  tick.  We  know  infrastructure.  We’re  not  fazed  by  complexity. 

We  see  through  it.  Identify  key  issues.  Zero  in  on  the  best  place  to  start 
for  immediate  returns.  Then  make  it  happen.  With  solutions  that  are 
platform  and  system  friendly,  but  more  importantly,  business-strategy 

riendi,  too  “THAT  WOULD  WORK,  I  THINK’.’ 

It  would.  We  help  thousands  of  companies  do  it  every  day.  Join 
them.  Create  the  manageable,  affordable,  dependable  infrastructure 
you  always  planned.  Discover  how  at  ibm.com/ondemand/operations 

pfi)  DEMAND  BUSINESS 


IBM,  the  IBM  logo  and  the  On  Demand  logo  are  registered  trademarks  or  trademarks  of  International  Business  Machines 
Corporation  in  the  United  States  and/or  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or 
service  marks  of  others.  ©2005  IBM  Corporation.  All  rights  reserved. 


Knowing  is  more  than  being  aware.  It's  about  being  able  to  determine,  prioritize 
and  deliver  what  and  how  much  protection  is  needed  and  where.  You  can't  eliminate 
risk  completely,  but  you  can  manage  it  and  reduce  your  exposure  time. 

NetlQ  Security  Management  is  the  only  way  to  manage  risk,  assure  compliance  and 
secure  assets.  Our  knowledge-based  software  solutions  are  intelligent  and  simple  to  use. 
Only  NetlQ,  a  leader  in  systems  and  security  management,  gives  you  the  assurance  of 
knowing  that  risk  is  mitigated  and  your  enterprise  is  secure,  available  and  performing. 

©  Copyright  2005  NetlQ  Corporation.  All  rights  reserved.  NetlQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 


Knowing 

that  you're  managing  risk. 


Knowing  is  everything!" 


(g^netfH) 


www.netiq.com/solutions/security 


Mf|  **** 


tpWl. 

!*■**'•  *TiTiu  1 1'- 1  iThTHT 

:!nniiiiiii,,.„flmfi 

JJH11HHIU|-I!!lll!jf 

a!iniiiniii*iaitf» 


1*3***«M 

•i  .  *  *  i  > 


One  out  of  every  five 
Global  500®  companies  trusts  Akamai. 


They  trust  Akamai  to  deliver  more  than  content.  To  deliver  more  revenue.  To  deliver  more 
market  share.  To  deliver  more  customer  demand  online.  Why?  Because  Akamai  accelerates 
business  processes,  delivers  lower  costs,  more  ROI,  more  customers  and  more  possibilities. 


^Start _  learning  more  and  get  your  copy  of  Accelerating  Business:  10  Tips  to  Optimize 

Online  Business  Performance.  Call  888-340-4252  or  visit  www.akamai.com/business. 


Akamai 

The  Trusted  Choice 
For  Online  Business  '" 


Global  500  list  compiled  by  Fortune  Magazine. 

©2005  Akamai  Technologies,  Inc.  All  Rights  Reserved.  Akamai  and  the  Akamai  logo  are  registered  marks. 


In  the  wake  of  the  Deutsche  Bank  acquisition,  State  Street 
Executive  VP  SHARON  DONOVAN  HART  used  governance  to 
determine  the  fate  of  Deutsche  Bank’s  applications. 


ESSENTIAL  TECHNOLOGY: 
PERFORMANCE  ENHANCERS  |  93 

Application  monitoring  tools  can  help 
companies  tune  up  their  engines. 

Feature  by  Cindy  Waxer 

Enterprise  Risk 
Management 

RUNNING  THE  RISK  |  60 

CIOs  are  the  executives  best  positioned  to 
champion  enterprise  risk  management.  Use 
this  five-step  leadership  strategy  to  get  the 

ball  rolling.  Feature  by  Allan  Holmes 

Ethics 

ETHICS,  SHMETHICS  |  38 

CIOs  should  stop  trying  to  do  the  “right 
thing”  when  implementing  IT  and  focus 
instead  on  getting  their  implementations 
right.  Column  by  Michael  Schrage 


Application  Performance 
Monitors 


Business  Intelligence 


mm 


'  t. 


tent 


MARCH/15/2005  I  VOL/18  I  NO/11 


COVER  STORY  |  The  Brain  Behind  the  Big, 
Bad  Burger  and  Other  Tales  of  Business 
Intelligence  I  48 

Business  intelligence  systems  have,  for  the  most 
part,  been  dreary  failures.  But  not  in  the  restaurant 
industry.  There,  the  payoffs  have  been  significant. 

So  what  have  you  been  doing  wrong?  And  what  are 
they  doing  right? 

Feature  by  Meridith  Levinson 

HOW  B.l.  UNCOVERS  RIP-OFFS,  PLUS  SAMPLE  REPORTS  |  CIO.COM 

Carlson  Restaurants  Worldwide  uses  business  intelligence  software 
to  spot  invoice  discrepancies.  Find  this  story,  plus  sample  BI  reports 

at  www.cio.com/031505. 


Governance 

A  HIGHER  POWER  |  82 

When  State  Street  acquired  a  Deutsche 
Bank  company,  it  had  to  decide  whether  to 
keep  or  retire  more  than  900  inherited 
applications.  The  guiding  force  that  helped 
it  do  that  was  governance. 

Feature  by  Sarah  D.  Scalet 

GOVERNANCE  MAP  |  CIO.COM 

Imagine  giving  businesspeople  a  single  doc¬ 
ument  that  explains  how  IT  works  and  how 
to  get  a  project  approved.  We  have  such  a 
document,  courtesy  of  Bill  Godfrey,  CIO  at 
Dow  Jones.  Find  it  at  www.cio.com/031505. 

more  » 


www.cio.com  |  MARCH  15,  2005 


7 


content  (cont.) 


Trendlines  I  23 

Electronic  Voting  |  Paper  Trail  for  E-Votes 

Information  Security  i  The  Web  Safety  Mascot  with 
an  Image  Problem 

Predictions  j  New  Options  for  CIOs  in  a  Wired, 
Wired  World 

Book  Review  |  Never  Eat  Alone:  And  Other  Secrets 
to  Success,  One  Relationship  at  a  Time 

Outsourcing  i  Europe  Rising 

Health-Care  Standards  i  Standards  a  Must  for 
Adoption  of  Health-Care  IT 

Washington  Watch  \  IRS:  File  Corporate  Taxes 
Online 

Portals  !  Tsunami  Relief  Via  Laptop 

Wearable  Technology  |  High-Tech  Fashion  on  the 
Slopes 

Essential  Technology  |  93 

App  Performance  |  Performance  Enhancers 


Under  Development  |  Chips  Inside  Casino  Chips 
Pundit  |  Services  for  Sale  By  Eric  Knorr 

From  the  Editor  j  12 

Alignment  Is  Dead:  Long  Live  Convergence  The 

buzz  at  our  most  recent  conference  was  about 
a  better  goal  for  IT  and  the  business. 

By  Richard  Pastore 

From  the  Publisher  |  102 


Leadership 

LEADER,  FIX  YOURSELF  |  34 

If  your  staff  isn’t  doing  the  work  you  expect  of  them,  you  may  be  the  one 
who  needs  to  improve  your  performance.  Column  by  Patricia  Wallington 

Security 

HOW  TO  SAVE  THE  INTERNET  !  70 


A  Bigger  Threat  Than  Terrorism?  j  Our  education 
crisis  is  as  serious  as  anything  we’ll  face  as  a 
nation.  By  Gary  Beach 

Inbox  !  16 
Index  |  106 

Executive  Summary  |  108 


Computing  on  the  Net  is  heading  for  a  fall  because  security  is  a  joke. 
So  we  summoned  the  best  minds  to  see  if  we  could  put  Humpty  back 
together  again.  Feature  by  Scott  Berinato 

Work-Life  Balance 

PEER  TO  PEER:  HOW  TO  OPERATE  24/7  WITHOUT 
LOSING  YOUR  MIND  |  44 

As  the  CIO  of  MetLife  has  discovered,  it  is  possible  to  turn  technology 
from  a  leash  into  an  agent  of  liberation.  Column  by  Steve  Sheinheit 


MARCH  15,  2005  |  www.cio.com 


Microsoft 


WEIGHING  THE  REAL  COSTS  OF 
LINUX  AND  WINDOWS?  WEIGH  THE 
INTELLECTUAL  PROPERTY  RISKS,  TOO. 


"To  date,  IBM,  HP,  Novell,  Red  Hat,  and  other  Linux  vendors  offer 
only  limited  indemnification  against  intellectual  property  legal 
claims  with  exceedingly  low  liability  caps — or  no  protection  against 
third-party  legal  claims  at  all — leaving  companies  with  the  risk  of 
high  cost  litigation." 


-Laura  DiDio 
Senior  Analyst,  The  Yankee  Group 


When  evaluating  Linux  and  Windows®,  the  Yankee  Group,  a  global  research 
and  consulting  firm,  recommends  that  you  assess  your  company's  exposure 
to  the  cost  of  intellectual  property  disputes.  That's  because  companies  can  be 
sued  for  using  software  that  infringes  intellectual  property  owned  by  third 
parties.  Microsoft  offers  a  strong  indemnity  that  helps  protect  users  of  its 
flagship  products  from  legal  costs  associated  with  intellectual  property 
disputes.  In  comparison,  leading  Linux  vendors  offer  limited  or  no  indemnity. 
For  details  about  Microsoft's  indemnity,  visit  microsoft.com/indemnification 

To  see  a  video  interview  with  Yankee  Group  Senior  Analyst  Laura  DiDio  and 
for  other  third-party  findings,  visit  microsoft.com/getthefacts 


Microsoft 


Windows 
Server  System 


©  2004  Microsoft  Corporation.  All  rights  reserved.  Microsoft,  Windows,  the  Windows  logo,  and  Windows  Server  System  are  either  registered  trademarks  or  trademarks 
of  Microsoft  Corporation  in  the  United  States  and/or  other  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  trademarks  of  their  respective  owners. 


Our  color  printers,  multifunction  systems 
spectrum  itself.  So  one  is  sure  to  fit  your  business 


Color  is  improving  work  everywhere.  And  no  one  is  more 
committed  to  enhancing  how  people  use  color  than  Xerox. 
Our  wide  array  of  award-winning  digital  color  devices  makes 


it  easy  to  custom  fit  a  color  solution  for  just  about  any 
business.  And  just  as  impressive  are  the  hands-on  extras  we 
can  provide,  like  workflow  expertise,  process  improvement 


Xerox  color  printers 
multifunction  systems 
&  digital  presses 


xerox.com/color  1-800-AS1C-XEROX  ext.  COLOR 

©  2005  XEROX  CORPORATION.  All  rights  reserved.  XEROX®  and  Xerox  Color.  It  makes  business  sense  are  trademarks  of  XEROX  CORPORATION  in  the  United  States  and/or  other  countries. 


and  digital  presses  are  as  varied  as  the  business 


like  a  glove.  Xerox  iolor. 

techniques,  and  managed  services  that  make  color  productive 
and  effective.  Xerox  color  integrates  easily  into  any  network. 
Our  supplies  are  economical.  And  our  line  is  so  affordable, 


It  makes  business  sense. 

it’s  within  reach  of  small  businesses  as  well  as  large 
global  companies.  Why  not  try  Xerox  color  on  for  size?  We 
promise  a  fit  that  works  hand  in  glove  with  your  business. 


XEROX 


Technology 


Document  Management 


Consulting  Services 


Alignment  j 
Is  Dead: 

Long  Live 
Convergence  j 

i 

The  buzz  at  our  most  recent 
conference  was  about  a  better 
goal  for  IT  and  the  business 


Alignment  may  be  the  most  venerable  term  in  the  CIO  lexicon.  Transcending  the 
eras  of  MIS,  IS  and  IT,  it’s  at  least  as  old  as  the  CIO  title  itself.  To  align  the  goals  and  strate¬ 
gies  of  the  IT  organization  with  those  of  the  business  has  been  the  number-one  priority 
for  CIOs  for  years,  but  there’s  a  new  term  in  town  that  transcends  that  idea:  convergence. 
At  CIO’s  Perspectives  on  Enterprise  Value  conference  last  month  in  Fort  Lauderdale,  Fla., 
IT-business  convergence  was  the  buzz  term. 

In  convergence,  the  IT  function  is  intertwined  with  the  business  in  every  way.  You’re  not 
trying  to  synchronize  the  separate  actions  of  two  disparate  entities;  IT  and  the  business 
become  indistinguishable.  One  indicator  of  convergence  can  be  found  in  meetings  at  Marriott 
International.  According  to  Marriott’s  president,  Bill  Shaw,  who  delivered  the  conference 
keynote  presentation,  IT  people  are  just  as  likely  to  respond  to  a  question  about  the  busi¬ 
ness  as  they  are  to  a  question  about  technology.  And  the  businesspeople  at  those  meetings 
are  just  as  likely  to  answer  an  IT  ques¬ 
tion  (and  get  the  answer  right  more  often 
than  not),  according  to  Marriott’s  CIO 
and  fellow  attendee  Carl  Wilson. 

Marriott  wasn’t  the  only  company  in 
Fort  Lauderdale  claiming  convergence 
between  IT  and  business.  One  financial  services  company  is  so  comfortable  with  its  IT-business 
convergence,  its  CIO  is  now  bent  on  creating  convergence  between  IT  and  external  customers. 

To  initiate  convergence,  there’s  no  one  button  to  push;  there  are  a  whole  slew  of  things 
to  pursue— such  as  populating  steering  committees  with  business  and  IT  leaders  who 
work  from  one  strategic  blueprint,  colocating  IT  managers  in  business  units,  abolishing  the 
notion  of  IT  projects  in  favor  of  business-funded  business  projects  enabled  by  technology,  mov¬ 
ing  permanent  teams  of  IT  and  business  staff  from  project  to  project,  and  assigning  top  IT 
prospects  to  two-year  stints  in  business  unit  operational  positions. 

In  short,  convergence  is  alignment  to  such  a  degree  that  the  term  alignment  becomes 
irrelevant. 

Is  it  possible  for  convergence  to  work  for  IT?  Can  we  abandon  our  eternal  quest  for 
alignment  and  start  building  the  philosophical  and  practical  state  of  IT-business  conver¬ 
gence?  Some  would  say  alignment  is  a  necessary  precursor  for  convergence,  but  I’m  not  sure 
it  needs  to  be.  Yes,  many  of  the  best  practices  are  similar.  But  the  quest  for  convergence  seems 
to  me  more  galvanizing,  more  pragmatic  and  ultimately  more  achievable  than  alignment. 
I’d  rather  be  creating  convergence  than  chasing  alignment.  After  all,  by  its  nature,  align¬ 
ment  exists  for  only  a  moment  in  time,  a  snapshot.  Convergence  can  be  forever.  You  can  fall 
out  of  alignment  without  lifting  a  finger,  as  business  strategy  subtly  shifts  under  you,  or 
as  executives  move  on.  But  once  you’ve  got  convergence,  you’d  need  to  forcibly  pry  it  apart 
to  break  it— like  a  perfectly  complete  jigsaw  puzzle  where  every  piece  interlocks. 


pastore(a)cio.com 


By  its  nature,  alignment  exists 
for  only  a  moment  in  time, 
a  snapshot.  Convergence  can 
be  forever. 


12 


MARCH  15 


2005  |  www.cio.com 


PHOTO  BY  ANDREA  FISCHMAN 


Where  14-billion  Web  addresses  and  emails  get  directed. 

Where  2.7-billion  phone  connections  get  routed. 
Where  3,000  global  enterprises  get  secured. 
Where  $100-million  in  online  commerce  gets  transacted. 

Every  day. 


® 

all  comes  together. 


FIND 


Billions  of  times  each  day,  the  world  interacts  with  a  company 
you  may  not  realize  is  there.  One  that  is  driving  dynamic  trans¬ 
formations  at  the  very  core  of  commerce  and  communications. 
VeriSign.0  Through  our  Intelligent  Infrastructure  Services, 
we  enable  businesses  and  individuals  to  find,  connect,  secure, 
and  transact  across  today’s  complex  Internet,  telecom,  and 
converged  networks. 


for  over  3,000  global  businesses  and  400,000  Web  sites.  And  we 
handle  over  30  percent  of  all  e-commerce  transactions  in  North 
America,  processing  $100-million  in  daily  sales.  As  next  generation 
networks  emerge  and  converge,  VeriSign  will  be  there,  deploying 
the  Intelligent  Infrastructure  Services  necessary  for  everything 
from  RFID-enabled  supply  chains  to  inter-enterprise  VoIP  to 
mobile  and  rich  media  content  distribution. 


We  operate  the  systems  that  manage  .com  and  .net,  handling  Whether  you’re  a  telecom  carrier  looking  to  rapidly  deploy  new 
14-billion  Web  addresses  and  emails  every  day.  We  run  one  of  services;  a  Fortune  500  enterprise  needing  comprehensive, 
the  largest  telecom  signaling  networks  in  the  world,  enabling  proactive  security  services;  or  an  e-commerce  leader  wanting  to 
services  such  as  cellular  roaming,  text  messaging,  caller  ID,  and  securely  process  payments  and  reduce  fraud,  we  can  help.  We’re 
multimedia  messaging.  We  manage  network  and  user  security  VeriSign.  Where  it  all  comes  together.™ 


dS  2004  VeriSign.  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo. 
“Where  it  all  comes  together,"  and  other  trademarks,  service  marks, 
and  designs  are  registered  or  unregistered  trademarks  of  VeriSign 
and  its  subsidiaries  in  the  United  States  and  in  foreign  countries 


www.VeriSign.com 

Download  now:  Free  white  paper  on  Intelligent  Infrastructure  Services 


eriSign 


WHAT  WE  COVER,  WHOM  TO  CONTACT 


THE  RESOURCE  FOR  INFORMATION  EXECUTIVES 


president  and  ceo  Walter  Manninen 
editorial  director  Lew  McCreary 
publisher  Gary  J.  Beach 

EDITORIAL 

editor  in  chief  Abbie  Lundberg 
editor  Richard  Pastore 
managing  editor  David  Rosenbaum 
managing  editor,  production  Cheryl  R.  Asselin 
executive  editors  Alison  Bass, 
Christopher  Koch,  Edward  Prewitt 
Washington  bureau  chief  Allan  Holmes 
special  projects  editor  Mindy  Blodgett 
technology  editor  Christopher  Lindquist 
SENIOR  editors 

Scott  Berinato,  Alice  Dragoon,  Stephanie  Overby, 
Megan  Santosus,  Elana  Varon 

SENIOR  WRITERS 

Meridith  Levinson,  Susannah  Patton,  Ben  Worthen 
staff  writer  Thomas  Wailgum 

CONTRIBUTORS 

Grant  Gross,  Eric  Knorr,  Scarlet  Pruitt, 
Michael  Schrage,  Steve  Sheinheit,  Brendan  Sullivan, 
Patricia  Wallington,  Cindy  Waxer 

DESIGN 

executive  director,  art  and  design  Mary  Lester 
art  director  Terri  Haas 

ASSOCIATE  ART  DIRECTORS 

Owen  Edwards,  Matthew  Goebel 
designers  Joanna  De  Fazio,  Jenna  Talbott 

associate  designer  Neva  Tachkova 
design  operations  specialist  Rachel  Barnett 

COPY  TEAM 

copy  chief  Emily  S.  Henderson 

senior  copy  editor  Diann  Daniel 
copyeditor  Cathy Mallen 
assoc,  copy  editor  Daniel  John  Robinson 

EDITORIAL  ASSISTANTS 

Margaret  Locher,  Al  Sacco 

RESEARCH  &  PROJECTS 

research  editor  Lorraine  Cosgrove  Ware 

editorial  resource  manager  Carol  Zarrow 
associate  research  analyst  Julie  Hanson 
special  projects  manager  Lynne  Z.  Rigolini 

ONLINE  EDITORIAL 

web  editorial  director  Art  Jahnke 

WEB  EXECUTIVE  EDITOR  AND  PRODUCER 

Janice  Brand 

web  editor  Sandy  Kendall 
web  writer  Jon  Surmacz 


international  data  group 

CEO  Pat  Kenealy 

BOARD  CHAIRMAN  Patrick  J.  McGovern 


©CXO  Media  Inc. 


INDUSTRY 

Automotive 

Edward  Prewitt,  eprewitt@cio.com 

Financial  Services 

Elana  Varon.  evaron@cio.com 

Health  Care 

Alison  Bass,  abass@cio.com 

Manufacturing,  Business-to-Business 

Christopher  Koch,  ckoch@cio.com 

Manufacturing,  Business-to-Consumer 

Susannah  Patton,  spatton@cio.com 

Public  Sector 

Allan  Holmes,  aholmes@cio.com 

Retail 

Meridith  Levinson,  mtevinson@cio.com 

Transportation 

Stephanie  Overby,  soverby@cio.com 

Travel/Leisure/Entertainment 

Alice  Dragoon,  adragoon@cio.com 

BUSINESS  &  TECHNOLOGY 

Architecture 

Christopher  Koch,  ckoch@cio.com 

Customer  Relationship  Management  (CRM) 

Alison  Bass,  abass@cio.com 
Alice  Dragoon,  adragoon@cio.com 

E-Commerce,  Business-to-Business 

Christopher  Koch,  ckoch@cio.com 

E-Commerce,  Business-to-Consumer 

Meridith  Levinson,  mievinson@cio.com 

Emerging  Technology 

Christopher  Lindquist,  clindquist@cio.com 

Enterprise  Resource  Planning  (ERP) 

Ben  Worthen,  bworthen@cio.com 


Book  Reviews 

Carol  Zarrow,  czarrow@cio.com 

By  the  Numbers 

Lorraine  Cosgrove  Ware,  lcosgrove@cio.com 

Essential  Technology 

Christopher  Lindquist,  clindquist@cio.com 

Executive  Coach 

Edward  Prewitt,  eprewitt@cio.com 

Forum 

Cheryl, Asselin,  casselin@cio.com 

From  the  Editor 

Abbie  Lundberg,  tundberg@cio.com 
Richard  Pastore,  pastore@cio.com 

From  the  Publisher 

Gary  Beach,  gbeach@cio.com 


Integration 

Christopher  Koch,  ckoch@cio.com 

Knowledge  Management 

Megan  Santosus,  santosus@cio.com 

Leadership  and  Management 

Edward  Prewitt,  eprewitt@cio.com 

Legislation  and  Regulation 

Allan  Holmes,  ahoimes@cio.com 
Ben  Worthen,  bworthen@cio.com 

Outsourcing 

Stephanie  Overby,  soverby@cio.com 

Project  Management 

Mindy  Blodgett,  mblodgett@cio.com 

Public  Sector  (Government  IT) 

Allan  Holmes,  aholmes@cio.com 

Risk  Management 

Allan  Holmes,  aholmes@cio.com 

Security/Privacy 

Scott  Berinato,  sberinato@cio.com 
Allan  Holmes,  aholmes@cio.com 

Staffing 

Stephanie  Overby,  soverby@cio.com 

Supply  Chain  Management 

Ben  Worthen,  bworthen@cio.com 

Value  and  Measurement 

Mindy  Blodgett,  mbtodgett@cio.com 

Vendor  Management 

Scott  Berinato,  sberinato@cio.com 
Susannah  Patton,  spatton@cio.com 

Web  Services 

Christopher  Lindquist,  ctindquist@cio.com 
Elana  Varon,  evaron@cio.com 

Workforce  Connectivity 

(Wireless,  Collaboration  Technologies) 

Thomas  Wailgum,  twailgum@cio.com 


InBox 

Cheryl  Asselin,  casselin@cio.com 

On  the  Move 

Meridith  Levinson,  mlevinson@cio.com 

Peer  to  Peer 

Alison  Bass,  abass@cio.com 

Reality  Bytes 

Megan  Santosus,  santosus@cio.com 

Total  Leadership 

Elana  Varon,  evaron@cio.com 

Trendlines 

Megan  Santosus,  santosus@cio.com 

Washington  Watch 

Elana  Varon,  evaron@cio.com 
Ben  Worthen,  bworthen@cio.com 


e-mail  ietters@cip.com  phone  508  872-0080  fax  508  879-7784  address  CIO  Magazine,  CXO  Media  Inc., 

492  Old  Connecticut  Path,  P.0,  Box  9208,  Framingham,  MA  01701-9208  website  www.cio.com  subscriber  ser¬ 
vices  866  354-1125  •  Fax  847  564-9453  •  E-mail  cio@omeda.com  reprint  services  Jesse  Levy  •  PARS  Interna¬ 
tional  •  212  221-9595  xl23  •  E-mail  jesse@parsintl.com  rights  and  permission  Andrew  Burrell  •  508  935-4785  • 
E-mail  aburrett@cio.com 


COLUMN  &  DEPARTMENT  CONTACTS 


14 


MARCH  15,  2005  |  www.cio.com 


On-Demand  Collaboration.  Only  from  Polycom. 


/feed 


t/eftii/'ty. 


to 


gf-  ' 


Needs  to  be 
Secure  an 4 
Standards 
based 


A 


ji 


‘  voi£&>  ftArA 
thz  **#*, 


M'X 

•$£ 


It'll  take  the  demands  off  you. 


In  this  real-time  world,  instant  access  to  colleagues  around  the  globe  has  become  a  business  mandate.  Only  Polycom  can  bring 
people  together  via  any  combination  of  video,  voice,  data  and  Web  collaboration  -  on-demand.  Without  complex  IT  intervention 
or  advance  reservations.  A  single  dial-in  number  or  buddy  list  securely  connects  any  number  of  participants,  over  any  network, 
any  protocol,  any  speed  or  any  collaboration  device.  And,  you  can  do  it  all  with  confidence  since  Polycom  has  the  most  widely 
used  unified  solution  in  the  world.  It's  really  that  simple.  Isn't  it  time  you  demanded  on-demand  collaboration  from  Polycom? 

Get  a  free  copy  of  the  Unified  Collaborative  Communications  whitepaper  at  www.polycom.com/cio  or  call  1-877-POLYCOM. 


POLYCOM 


Connect.  Any  Way  You  Want. 


©2004  Polycom,  Inc.  All  rights  reserved.  Polycom  and  the  Polycom  logo  are  registered  trademarks  and  the  SoundStation  industrial  design  is  c 
trademark  of  Polycom,  Inc.  in  the  U  S.  and  various  countries.  All  other  trademarks  are  the  property  of  their  respective  owners. 


READER  FEEDBACK 

InBox 


IT  Role  Model 

Jeff  Campbell  and  his  leadership  team  at 
Burlington  Northern  and  Santa  Fe  serve  as  a 
role  model  to  us  all  when  it  comes  to  recruit¬ 
ing  and  developing  IT  talent  (“Grooming 
the  Next  Generation  of  IT  Leaders,”  Jan.  15). 
vlt  appears  that  he  and  his  team  are  balanc¬ 
ing  stewardship  for  the  future  of  the  indus¬ 
try  with  the  need  to  achieve  efficient  and 
effective  operations  today. 

Reading  about  that  company’s  staffing 
strategies  provides  a  glimmer  of  hope 
against  the  negative  observations  Richard 
Pastore  presented  in  his  editorial  on  the  IT 
industry’s  apparent  lack  of  interest  or  con¬ 
cern  about  developing  entry-level  staff. 

As  a  consultant  who  supports  business 
development  initiatives  in  the  IT  services 
industry  and  the  parent  of  two  young  peo¬ 
ple  pursuing  an  education,  I  am  hoping  that 
we  do  not  abdicate  the  future  of  our  coun¬ 
try’s  role  in  the  global  economy  to  others. 

BLAKE  LEWIS 

Dallas 

blake@blakelewisapr.com 

Vendor  Negotiation 
Strategy 

The  parallels  between  NCCI’s  story 
(“IT  Buyer  Beware,”  Dec.  1, 2004)  and  one 
of  my  own  experiences  are  spooky.  In  my 


previous  role  as  the  lead  purchasing  agent 
for  software  and  IT  services  for  a  large 
utility,  I  learned  that  to  be  successful  in 
the  arms-length  dealings  associated  with 
selecting  a  vendor,  IT  professionals  and 
leaders  should  adopt  two  approaches  that 
are  comparable  to  those  of  the  vendor. 

First,  from  the  beginning  of  the  process 
to  the  end,  vendors  think  and  act  sell. 
“What  do  I  have  to  do  to  make  and  close 
the  sale?”  Similarly,  from  the  beginning  of 
the  process  to  the  end,  IT  professionals 
and  leaders  should  think  and  act  negotiate. 
“How  will  what  I  do  or  say  impact  my  abil¬ 
ity  to  get  a  fair  price  and  terms  at  the  end?” 

Second,  vendors  develop  and  deliver  a 
sales  message  containing  the  information 
they  want  the  customer  to  have  so  as  to 
maximize  the  probability  of  making  the  sale. 
Similarly,  the  IT  professionals  and  leaders 
should  develop  a  communication  plan  that 
describes  what  information  will  be  and  will 
not  be  shared  with  vendors  in  an  effort  to 
ensure  they  get  a  fair  price  and  terms. 

HENRY  A.  (HANK)  ZIMMERMAN 

Principal,  Carpenter  Henry  Consulting 
hankzimmerman@comcast.  net 

The  Importance  of 
Knowing  the  Business 

In  most  projects  like  the  one  written 
about  in  “When  Bad  Things  Happen  to 
Good  Projects”  (Dec.  1, 2004),  during  the 
“requirements  gathering”  stage,  the  busi¬ 
ness  side  doesn’t  understand  the  questions 
(the  questions  are  too  vague,  broad  or  tech¬ 
nical),  and  the  IT  people  don’t  understand 
the  answers  (they  aren’t  familiar  with  the 
details  of  the  processes). 

The  only  way  to  fix  this  is  to  get  IT 
people  out  of  the  IT  silo  and  have  them 
live  in  the  business  and  understand  the 
processes.  They  can  rotate  back  to  IT  on 
a  regular  schedule  (say,  one-year  assign¬ 
ments),  but  there  should  always  be  an  IT 
person  (or  people)  in  the  business  who  can 


translate  requirements  for  IT  projects. 

JIM  DUARTE 

Director,  Strategic  Business  Analysis 
|  jeduarte2@aol.com 

IT  Education 

I  think  “Degrees  of  Change”  (Oct.  15, 2004) 
missed  a  fundamental  point:  IT  and  com¬ 
puter  science  programs  (and  graduates) 
should  be  addressing  different  areas  in 
our  economy. 

IT  should  focus  on  adding  value  to  the 
business  process.  I  agree  that  IT  depart¬ 
ments  should  be  implementing  systems 
that  help  the  business.  MBAs  are  perfect 
for  that;  they’re  focused  on  business. 
Technology  is  a  means  to  an  end. 

Computer  science  should  be  focused 
on  creating  new  technology  that  can  be 
used  by  IT  to  add  value,  creating  systems 
that  run  faster,  do  more  and  solve  new 
problems.  Computer  science  departments 
should  not  be  teaching  students  about  SQL; 
they  should  teach  them  how  to  build  an 
SQL  database  or  how  to  improve  one. 

Computer  science  graduates  work  for 
Oracle  to  build  a  better  database.  IT  gradu- 
j  ates  work  for  a  company  that  uses  Oracle 
databases  to  solve  business  problems. 

I  have  a  computer  science  background, 
but  it  has  taken  me  10  years  to  realize  that 
I  should  have  gone  to  work  for  a  technology 
company  instead  of  a  business.  If  someone 
had  explained  that  to  me  when  I  enrolled,  I 
would  have  been  much  better  off. 

SEAN  CALLAHAN 

Knowledge  and  Information  Manager 
seancallahan@ihug.co.nz 


What  Do  You  Think? 


Send  your  thoughts  and  feedback  to 
letters@cio.com.  Letters  may  be  edited  for 
length  or  clarity.  For  a  link  to  the  articles 
mentioned,  go  to  www.cio.com/printlinks. 

cio.com 


16 


MARCH  15,  2005  |  www.cio.com 


near 


Siemens  USA:  automation  &  control  •  building  technologies  •  energy  &  power  •  financial  services  •  home  appliances 
information  &  communication  •  lighting  •  material  handling  •  medical  solutions  •  transportation  •  water  technologies 


Work  needs  to  get  done  ^ 
at  the  office.  Problem  is  you're 


Problem  solved.  With  Siemens  communications  solutions,  you 
don’t  need  to  be  connected  to  the  office  to  be  connected.  Siemens’ 
LifeWorks™  strategy  integrates  home  and  business  networks,  both  wired 
and  wireless.  You  can  get  intuitive  real-time  access  to  people,  information 
and  services  regardless  of  your  device,  network  or  location.  You  can 
instantly  collaborate  with  anyone — wherever,  whenever,  however  you 
like.  Time  spent  on  inefficient  communications  goes  down.  Productivity 
goes  up.  Making  life  work  better. 

At  Siemens  we  have  70,000  U.S.  employees  working  together  with 
thousands  more  all  around  the  world.  Exchanging  ideas.  Sharing  knowledge. 
And  strengthening  America’s  infrastructure  and  businesses. 


SIEMENS 


Global  network  of  innovation 


www.usa.siemens.com 


BOARD  OF  ADVISORS  '05 


CIO  wishes  to  acknowledge  the  2005  Editorial  Advisory  Board  members  for  their  ongoing 
guidance  and  reality  check  of  the  magazine’s  content  and  focus.  We  thank  them  for  their 
generosity  in  sharing  their  insight  into  the  world  of  IT  leadership. 


GREGOR  BAILAR 

CIO 

Capital  One 
Falls  Church,  Va. 

MARCIA  BALESTRINO 

Senior  Vice  President 
and  CIO 

Girl  Scouts  of  the  USA 
New  York  City 

DOUG  BARKER 

CEO 

Barker  and  Scott  Consulting 
Washington,  D.C. 

SHEILA  BEAUCHESNE 

CIO 

Bluegreen 
Boca  Raton,  Fla. 

WAYNE  D.  BENNETT 

Partner 

Bingham  McCutchen 
Boston 

DENNIS  CALLAHAN 

CIO  and  Executive 
Vice  President 
The  Guardian  Life 
Insurance  Co. 

New  York  City 


MICHAEL  EARL 

Professor  of  Information 
Management,  Dean  of 
Templeton  College 
Oxford  University 
Oxford,  England 

PAUL  J.  GAFFNEY 

Executive  Vice  President 
of  Supply  Chain 
Staples 

Framingham,  Mass. 

JOHN  GLASER 

Vice  President  and  CIO 
Partners  Healthcare 
Boston 

JERRY  GREGOIRE 

Former  CIO 
Pepsi  and  Dell 
Austin,  Texas 

SCOTT  HEINTZEMAN 

CIO 

Carlson  Hotels  Worldwide 
Minneapolis 

C.  LEE  JONES 

Chairman,  President 
and  CEO 
Essential  Group 
Gurnee,  Ill. 


SUSAN  S.  KOZIK 

Executive  Vice  President 
and  CTO 
TIAA-CREF 
New  York  City 

CHUCK  LYBROOK 

Executive  Director 
The  Information 
Management  Forum 
Atlanta 

BUD  MATHAISEL 

Corporate  Vice  President 
and  CIO 
Solectron 
Milpitas,  Calif. 

SHELEEN  QUISH 

Vice  President  of  Corporate 
Marketing  and  Global  CIO 
U.S.  Can 
Lombard,  Ill. 

REBECCA  R.  RHOADS 

CIO 

Raytheon 
Lexington,  Mass. 

| 

LARAINE RODGERS 

President 

Arizona  Partnership 
for  Higher  Education 
and  Business 
Scottsdale,  Ariz. 


THOMAS  T.  SCHWANINGER 

Senior  Vice  President 
and  CIO 

American  Red  Cross 
Falls  Church,  Va. 

JOSEPH  A.  SMIALOWSKI 

Executive  Vice  President  of 
Operations  and  Technology 
Freddie  Mac 
McLean,  Va. 

JAMES  F.  SUTTER 

Senior  Partner 

The  Peer  Consulting  Group 

Newport  Beach,  Calif. 

RICHARD  W.  SWANBORG  JR. 

President 

ICEX 

Boston 

PATRICIA  WALLINGTON 

President 
CIO  Associates 
University  Park,  Fla. 

ROBERT  P.  WEIR 

Vice  President  of  Information 
Services 

Northeastern  University 
Boston 

STEVE  WILLIAMS 

Senior  Vice  President 
and  CIO 
Mattress  Giant 
Addison,  Texas 


1  8 


MARCH  15,  2005  |  www.cio.com 


ODE  TO 

THE  FEARLESS. 


We  live  in  an  age  where  fearless  thinkers  are  transforming  the  way  we  live,  work  and 
play.  Organizations  are  realizing  that  the  true  power  of  their  information  is  unleashed 
only  when  it  is  readily  available,  not  safely  locked  away.  Business  leaders  are  learning 
that  success  comes  from  letting  their  people  do  what  they  do  best— wherever,  whenever 
and  however.  That  having  to  choose  between  protecting  information  and  making  it 
available  is  a  choice  from  the  past.  That  real  security  is  an  open  door,  not  a  closed  one. 
That  when  information  has  no  limits,  followers  become  leaders  and  leaders  become 
pioneers.  This  is  the  new  world.  And  in  this  world,  the  ones  who  are  fearless  are  the 


Symantec  and  the  Symantec  logo  are  U.S.  registered  trademarks  of  Symantec  Corporation.  Copyright©  2004  Symantec  Corporation.  All  rights  reserved. 


NAME 


Mr.  400,000  SKUs  and 
7.5  Million  Transactions 
Analyzed  In  Real  Time 


ME6AST0RE 


©  2005  MicrosofySo/poration.  All  rights  reserved.  Microsoft,  BizTalk,  SharePoint,  SQL  Server,  the  Windows  logo,  Windows  Server,  Windows  Server  System,  and  "Your  potential.  Our  passion."  are  either  registered 
trademarks  or  trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 


"The  new  system  integrates  thousands  of 
pieces  of  data  in  real  time.  Store  managers 
love  it,  executives  love  it— everyone  loves  it." 

Robert  Fort 

Director  of  IT,  Virgin  Entertainment  Group,  North  America 


Make  a  name  for  yourself  with  Windows  Server  System. 

Microsoft  Windows  Server  System  makes  it  easier 
for  Virgin  Entertainment  Group,  North  America 
to  make  inventory  decisions  based  on  real-time 
data  from  its  sales  counters.  Here's  how:  By 
building  a  business  intelligence  solution  using 
SQL  Server  supported  by  BizTalk  Server  and  the 
.NET  Framework,  Virgin  is  able  to  gather  the  Point 
of  Sale  and  traffic  data  collected  in  its  stores, 
analyze  it,  and  have  reports  to  store  managers 
every  15  minutes.  Software  that's  easier  to 
integrate  is  software  that  helps  you  do  more  with 
less.  To  get  the  full  Virgin  story  or  find  a  Microsoft 
Certified  Partner,  go  to  microsoft.com/wssystem 


Windows 
Server  System 


Windows  Server  System™  includes: 


Server  Platform  Windows  Server™ 


Virtualization 

Virtual  Server 

Data  Management  &  Analysis 

SQL  Server™ 

Communications 

Exchange  Server 

Portals  &  Collaboration 

Office  SharePoint1  Portal  Server 

Integration 

BizTalk®  Server 

Management 

Systems  Management  Server 

Microsoft5  Operations  Manager 

Security 

Internet  Security  &  Acceleration  Server 

Plus  other  software  products 


INCREASING  THE  VALUE  OF 
TECHNOLOGY  INVESTMENTS. 


SAS"’  software  delivers  one  powerful  business  intelligence  and  analytics  platform  for  gaining  greater 
return  on  intelligence  —  in  less  time.  For  nearly  30  years,  SAS  has  been  helping  companies  gain  answers 
to  their  most  pressing  business  questions  and  address  their  most  challenging  issues... taking  them 
Beyond  Bl.™  Find  out  why  94%  of  the  FORTUNE  Global  500  rely  on  SAS  to  increase  profits,  reduce  costs, 
manage  risk  and  optimize  performance.  / 


www.sas.com/value 


The  Power  to  Know, 


PHOTO  BY  JON  GILBERT  FOX/GETTY  IMAGES 


Paper  Trail  for  E- Votes 


ELECTRONIC  VOTING 

Electronic  voting  machines  and 
the  vendors  that  ply  them  have 
been  the  subjects  of  fractious 
debate,  especially  in  light  of  the 
recent  presidential  elections. 

Do  the  machines  provide  a  safe 
and  secure  alternative  to  paper- 
based  ballots?  Are  vendors 
obligated  to  make  their  propri¬ 
etary  source  code  available  to 
public  scrutiny?  Those  are  just 
two  of  the  burning  issues  that 
have  figured  prominently  in 
the  move  to  e-voting  technol¬ 
ogy,  a  move  propelled  in  large 
part  by  2002’s  Help  America 


Vote  Act,  which  aimed  to  pro¬ 
vide  the  disabled  with  secure 
and  anonymous  access  to 
polling  places.  Diebold  Election 
Systems,  a  target  of  many 
e-voting  critics  during  the  2004 
election,  announced  in  January 
that  it  has  completed  the  design 
for  a  printer  that  would  give  its 
e-voting  machines  a  paper  trail. 

Diebold’s  AccuView  Printer 
Module  would  create  a  so-called 
voter-verified  paper  trail,  a 
function  that  many  e-voting 
critics  have  demanded.  The 
printer  will  be  an  optional  com¬ 
ponent  to  any  new  or  existing 


Diebold  AccuVote  TSx  touch¬ 
screen  voting  station  and  can 
also  be  designed  to  fit  other 
AccuVote  models.  The  Accu¬ 
View  displays  printed  selections 
under  a  transparent  surface, 
enabling  the  voter  to  privately 
view  and  verify  selections 


against  those  simultaneously 
displayed  on  the  e-voting  sys¬ 
tem’s  screen. 

A  machine  with  a  voter- 
verified  paper  trail  printer 
allows  voters  to  review  their 
votes  on  a  printout  after  using 
Continued  on  Page  24 


Web  Safety  Mascot  with  an  Image  Problem 


INFORMATION  SECURITY  YOU 

probably  don’t  know  Dewie  yet,  and  that’s 
the  problem.  Dewie  is  the  Federal  Trade 
Commission's  Web  safety  mascot— the 
McGruff  of  the  network  security  set.  Accord¬ 
ing  to  the  FTC,  “Dewie’s  wired,  but  carries 
his  security  shell  no  matter  what  he’s  doing 
on  the  Internet.  Even  though  turtles  take 
their  time,  Dewie  crosses  the  finish  line  first 
because  he  takes  the  appropriate  steps  to 
avoid  a  disaster.” 


The  government  has  a  long  history  of 
humanizing  safety  issues  with  mascots— 
and  successfully.  Smokey  Bear,  the  gold 
standard  who  turned  60  last  year,  “has 
helped  to  reduce  the  number  of  acres  lost 
annually  to  forest  fires  from  22  million  [in 
1944]  to  8.4  million  in  2000,”  according  to 
The  Ad  Council,  the  granddaddy  of  public 
service  announcements  (PSAs).  Indeed, 
an  entire  section  of  The  Ad  Council's  web¬ 
site  is  devoted  to  documenting  the  success 
of  PSAs,  from  Smokey  to  childhood  hunger 
and  safe  gun  storage  campaigns.  Even 
today,  many  people  can  quickly  cite  the 
catchphrases  of  Smokey  (‘‘Only  You  Can 
Prevent  Wildfires”),  Woodsy  Owl  (“Give  a 
Hoot.  Don’t  Pollute”)  and  McGruff  ("Take 
a  Bite  Out  of  Crime”). 

Of  course,  Smokey  and  the  other  PSA  all¬ 
stars  got  serious  TV  time;  Smokey  Bear  has 
his  own  website  and  a  product  licensing 


deal.  Without  that  kind  of  support,  Dewie  the 
Turtle’s  popularity  will  remain  low. 

Dewie  also  might  have  an  image  problem: 
A  turtle,  really?  The  word  “turtle”  carries 
negative  connotations,  and  Tortoise  beat 
Hare  not  because  he  was  careful,  but 
because  Hare  was  cocky.  It’s  not  clear  that 
we  can  count  on  similar  hubris  from  hackers. 

In  this  issue,  we  devote  a  feature  to  big 
ideas  for  fixing  information  security  (see 
“How  to  Save  the  Internet,”  Page  70).  This 
idea  may  not  be  big,  but  it’s  still  a  good  one: 
We  propose  an  extreme  makeover  for  Dewie 
the  Turtle— an  agent,  a  Hollywood  PR  firm 
and  a  massive  media  blitz.  As  his  visibility 
skyrockets,  online  security  will  become  a 
social  virtue  and  the  next  generation  will 
practice  safer  computing  than  we  do. 

All  he  needs  now  is  a  catchphrase. 
Suggestions? 

-Scott  Berinato 

www.cio.com  |  MARCH  15.  2005  2  3 


New  Options  for  CIOs  in 
a  Wired,  Wired  World  I  Paper  Trails 

Continued  from  Page  23 


predictions  It  looks  like  2005  may  go  down  as  the  year  of  digital 
crime  and  online  security  threats.  According  to  consultancy  Deloitte  Touche 
Tohmatsu,  the  number  of  computer-related  crime  and  security  incidents  will 
skyrocket  this  year,  thanks  in  large  part  to  the  rapid  growth  of  Internet- 
connected  portable  devices  and  mobile  technology.  But  Deloitte  isn’t  solely 
a  bearer  of  dire  news;  the  company  says  that  this  year,  nanotechnology  will 
finally  "start  to  get  traction  for  business  use,”  says  Cathy  Benko,  Deloitte’s 
technology  sector  leader.  “We  are  just  starting  to  see  the  advent  of  some 
phenomenal  applications,”  she  adds. 

In  January,  Deloitte  released  a  report  that  outlines  its  predictions  for 
trends  in  the  technology,  media  and  telecommunications  industries.  In 
addition  to  crime,  security  and  nanotechnology,  Deloitte  offered  other 
predictions  for  the  technology  sector: 

*  Consumers  increasingly 
will  rely  on  the  Internet,  and 
Web  browsers  will  become  a 
standard  interface  for  a  host 
of  business  and  consumer 
applications. 

*  Wireless  mesh  networks 
(which  Deloitte  defines  as  an 
ad  hoc  network,  in  which  every 
node  has  a  connection  to  every 
other  node  in  the  network)  will 
appear  in  urban  centers  and 
will  allow  both  local  authorities 
to  track  assets  and  transporta¬ 
tion  companies  to  streamline 
services. 

*  Quantum  computers, 
which  are  much  faster  than 
supercomputers,  will  begin  to 
show  promise  for  commercial 
applications. 

What  does  all  this  mean  for 
CIOs?  As  Benko  sees  it,  CIOs 
will  have  far  more  options  in  the 
future,  and  therefore,  they  will 
need  to  take  an  incremental 
approach  to  new  technologies. 
This  approach,  she  says, 
represents  a  shift  from  20  years  ago  (or  so)  when  CIOs  regularly  had  to  make 
huge,  "bet-the-company  kind  of  decisions,”  she  says.  As  networks  prolifer¬ 
ate,  as  connections  become  ubiquitous  and  as  developments  such  as  utility 
computing  become  commonplace,  Benko  says  that  CIOs  can  hedge  their 
bets  in  terms  of  what  technologies  they  should  deploy.  “CIOs  can  implement 
technology  incrementally,  and  therefore,  they  can  be  more  adaptable  in  the 
future,"  she  says. 

Deloitte  based  its  predictions  on  input  from  senior  managers,  clients  and 
industry  analysts  around  the  world. 

The  full  report  is  available  at  www.deloitte.com. 

- Brendan  Sullivan 

24 


Diebold’s  AccuView  Printer  Module  will 
provide  verifiable  e-voting. 


an  electronic  ballot;  proponents  of  paper 
trails  say  the  printouts  give  voters  some 
degree  of  confidence  that  e-voting  machines 
recorded  their  votes  as  they  intended.  They 
also  provide  a  paper  trail  in  the  event  of 
a  recount. 

Diebold’s  decision  comes  in  large  part 
because  of  state  requirements  for  paper 
trail  ballots,  says  David  Bear,  a  company 
spokesman.  Nevada  used  e-voting  machines 
with  paper  trail  capabilities  in  the  November 
election,  and  California  and  Ohio  have  joined 
the  Silver  State  in  requiring  paper  ballots  as 
part  of  the  voting  system  in  future  elections. 

According  to  Will  Doherty,  executive 
director  of  the  Verified  Voting  Foundation, 
a  group  that  supports  verifiable  elections, 
paper  trails  would  virtually  eliminate 
potential  fraud  as  well  as  machine  errors  in 
which  votes  aren’t  counted.  The  Verified 
Voting  Foundation  advocates  that  the  printed 
ballots  are  the  official  record  when  e-voting 
machines  with  voter-verified  paper  trails 
are  used. 

“It’s  about  time,”  Doherty  says  of  Diebold’s 

|P 

decision.  “We’re  very  glad  some  vendors  are 
starting  to  offer  the  paper  trail  option.” 

The  Information  Technology  Association 
of  America  (ITAA),  which  has  defended 
e-voting  machines  as  accurate  and  safe,  says 
Diebold’s  move  appears  to  be  focused  on  the 
demand  for  paper  trail  ballots.  “It’s  a  situa¬ 
tion  where  companies  are  going  to  provide 
what  their  customers  want,”  says  Bob  Cohen, 
senior  vice  president  of  ITAA,  which  counts 
e-voting  machine  vendors  as  among  its 
members. 

Paper  trails  or  not,  the  debate  over  e-voting 
is  likely  to  continue.  -Grant  Gross 


MARCH  15,  2005  |  www.cio.com 


WE’RE  PUTTING  COMPUTER 
R&D  WHERE  IT  BELONGS. 


In  your  6 


PRIMEPOWER"  Servers  LifeBook4  Notebooks 


usiness.  - 

Dancing  robots  and  Artificial  Intelligence  make  great  press 
release  material,  but  what  exactly  do  they  do  to  improve 
your  business? 

At  Fujitsu,  we’re  concerned  with  R&D  that  helps 
CIOs  run  their  business  more  efficiently.  In  fact,  we  invest 
billions  of  dollars  annually  in  developing  technology  solu¬ 
tions  and  providing  the  right  products  for  our  customers 
to  achieve  maximum  enterprise  performance.  This  R&D 
effort  is  the  foundation  of  the  Fujitsu  PRIMEPOWER'' 
and  PRIMERGY®  server  lines,  which  deliver  mission-critical 
reliability,  availability  and  serviceability. 

Thanks  to  our  real-world  R&D  philosophy,  we’ve 
become  a  company  that  offers  CIOs  the  high-performance 
mobile  computers,  scalable,  reliable  servers,  and  managed 
and  professional  services  they  need. 

If  you  are  looking  for  an  IT  partner  whose  R&D 
investment  actually  does  your  company  some  good,  visit 
us.fujitsu.com/computers/RD  or  call  I -800-831-3 1 83. 


FUJITSU 

THE  POSSIBILITIES  ARE  INFINITE 


Stylistic*  Tablet  PCs  PRIMERGY  Servers 


All  rights  reserved.  Fujitsu,  the  Fujitsu  logo  and  UfeBook  are  registered  trademarks  of  Fujitsu  Limited  PRIMEPOWER  is  a  trade 
entries  Svlistic  *s  a  registered  trademark  of  Fujitsu  Computer  Systems  Corporation.  PRIMERGY  is  a  registered  trademark  of  Fu 


Shmooze  or  Lose 

The  author  is  living  proof  of  his  book’s  claim — 
that  success  is  all  about  relationships 


Never  Eat  Alone:  And  Other  Secrets  to 
Success,  One  Relationship  at  a  Time 

By  Keith  Ferrazzi 
Currency,  2005,  $24.95 


book  review  Never  Eat 
Alone  is  the  book  to  read  before 
you  head  to  your  next  confer¬ 
ence.  This  roughly  300-page 
volume  will  get  you  pumped 
and  primed  for  making  lasting 
connections  with  the  new  folks 
you  meet.  Author  Keith  Fer¬ 
razzi,  who  became  a  partner  at 
Deloitte  Consulting  when  he 
was  still  in  his  twenties  and 
who’s  now  CEO  of  his  own  con¬ 
sultancy,  attributes  his  enviable 
success  to  the  vast  network  he’s 
spent  years  cultivating.  The 


importance  of  networking  isn’t  a 
new  revelation,  yet  Ferrazzi 
gives  the  topic  a  twist  when  he 
says  networking  isn’t  effective  if 
it  is  carried  out  with  despera¬ 
tion  or  out  of  blind  self-interest. 
Networking  is  most  effective  in 
helping  people  achieve  their 
goals  when  they  bring  to  it  a 
desire  to  help  others  and  a  sin¬ 
cere  interest  in  building  mean¬ 
ingful  relationships.  The  book 
stresses  the  importance  of 
building  relationships  before 
you  need  them,  and  the  way  to 


do  that  is  by  offering  yourself  as 
a  resource  for  others. 

Never  Eat  Alone  is  packed 
with  practical  tips  on  where  and 
how  to  meet  people.  There’s 
information  about  overcoming 
the  various  barriers  to  network¬ 
ing  such  as  shyness,  or  the  fear 
of  making  cold  calls  and  small 
talk.  There’s  also  advice  about 
getting  the  most  out  of  confer¬ 
ences  and  even  hosting  unfor¬ 
gettable  dinner  parties.  Ferrazzi 
includes  examples  for  readers  to 
emulate  based  on  actual  conver¬ 
sations  he’s  had,  e-mails  he’s 
written  and  voice-mail  mes¬ 
sages  he’s  left.  Don’t  be  misled 
into  thinking  that  this  is  a  book 


H 

S3 

n 

z 

D 

r 

z 

M 

Cfl 


for  junior  staff  (although,  it’s  a 
good  one  to  share  with  them).  It 
contains  enough  gems  to  make 
it  worthwhile  no  matter  where 
the  reader  is  on  the  corporate 
ladder.  For  instance,  practicing 
random  acts  of  kindness  toward 
the  CEO’s  executive  assistant  is 
guaranteed  to  get  you  more  face 
time  with  the  big  kahuna. 

Ferrazzi’s  infectious  enthusi¬ 
asm  for  meeting  people  is  com¬ 
municated  through  his  accessible 
and  conversational  writing  style. 
This  book  will  provide  you  with 
the  confidence  it  takes  to  view 
every  meeting  with  new  people 
as  the  opportunity  of  a  lifetime. 

-  Meridith  Levinson 


EUROPE  RISING 

outsourcing  Europe  has  become  the  new  hot  spot  for  outsourcing 
contracts,  surpassing  the  United  States  in  terms  of  the  value  of  major 
outsourcing  deals  awarded  in  2004,  according  to  global  sourcing  company 
Technology  Partners  International  (TPI). 

Of  the  $76  billion  worth  of  major  outsourcing  contracts  awarded  last 
year,  Europe  represented  49%  of  the  value,  while  the  United  States 
took  44%  and  Asia  7%  ,  based  on  research  conducted  by  TPI.  Major 
contracts  were  defined  as  those  worth  more  than  $52  million. 

Taking  the  value  of  all  contracts  into  account,  the  United  States  remains 
the  most  prevalent  location  for  outsourcing,  but  Europe  has  progressed  as 
a  regional  outsourcing  location,  according  to  Duncan  Aitchison,  managing 
director  of  TPI’s  international  business. 

In  all,  Europe  netted  $36.5  billion  worth  of  major  contracts  in  2004, 
almost  doubling  the  value  of  those  awarded  in  2002.  Europe’s  standing  as 
an  outsourcing  market  leader  was  especially  boosted  by  outsourcing 
growth  in  Germany,  TPI  said.  Germany  has  increased  its  share  of  worldwide 
outsourcing  contracts  from  less  than  1%  in  2001  to  12.5%  in  2004, 
according  to  Aitchison,  who  adds  that  the  market  is  fragmented  in  terms 


;  : 
;  : 


of  service  providers,  allowing  for  new  players  to  come  on  to  the  scene. 

In  fact,  the  “Big  Six”  major  outsourcing  providers-Accenture,  Affiliated 
Computer  Services,  Computer  Sciences,  EDS,  Hewlett-Packard  and  IBM- 
faced  increased  competition  worldwide  in  2004,  according  to  TPI. 

“The  big  headline  is  more  vendor  diversity,”  Aitchison  says. 

The  Big  Six  won  44%  of  the  contracts  in  2004  compared  to  71% 
in  2003.  The  top  100  deals  by  value  were 
won  by  36  providers  in  2004,  compared  to 
26  the  previous  year,  TPI  noted. 

The  financial  services  sector  continues 
to  be  the  largest  market  for  outsourcing 
providers,  and  the  sector  is  getting 
increasingly  savvy  in  its  use  of  outsourc¬ 
ing,  according  to  TPI.  Many  of  the  larger 
players  are  using  multiple  outsourcers  to 
meet  specialized  needs,  Aitchison  notes. 

Looking  ahead,  TPI  predicts  that 
Europe  will  become  an  even  stronger 
player.  The  Big  Six  will  have  to  battle  more 
competition  this  year  as  companies  turn 
to  multiple  and  regional  providers  that  are 
gaining  steam.  -Scarlet  Pruitt 


2  6 


MARCH  15,  2005  |  www.cio.com 


PHOTO  BOTTOM  BY  GETTY  IMAGES 


Oracle  Grid 


All  Your  Databases 


>/  No  wasted  capacity 
>/  No  wasted  money 

No  single  point  of  failure 


Oracle  Grid 
It's  fast...  it's  cheap... 
and  it  never  breaks 


oracle.com/grid 
or  call  1.800.633.0753 


Note:  'Never  breaks'  indicates  that  when  a  server  goes  down,  your  system  keeps  on  running. 


Copyright  ©  2005,  Oracle.  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates. 


Standards  a  Must 
for  Adoption  of 
Health-Care  IT 

HEALTH-CARE  STANDARDS  It’S  no  Secret 

that  the  health-care  industry  needs  to  use  IT  better, 
but  many  doctors  and  hospitals  are  concerned  about 
implementingtechnology  such  as  electronic  health 
records  without  interoperability  standards  in  place. 

In  January,  members  of  a  new  U.S.  government  task 
force  focusing  on  nationwide  health-care  IT  met  for 
the  first  time  to  discuss  standards. 

The  11-member 
Commission  on 
Systemic  Interoper¬ 
ability,  which  was 
established  by  the 
Medicare  Moderniza¬ 
tion  Act  in  2003,  is 
charged  by  Congress 
with  creating  a  com¬ 
prehensive  plan  forthe 
nation’s  health  IT 
infrastructure.  Scott 
Wallace,  president  and 
CEO  of  the  National 
Alliance  for  Health 
Information  Technol¬ 
ogy  and  chairman  of 
the  new  commission, 
says  the  health-care 
industry  needs  to  use 
technology  in  order  to 
cut  skyrocketing  costs 
and  improve  efficiency.  Many  in  the  industry  maintain 
that  electronic  health  records,  which  can  follow 
patients  everywhere,  are  the  foundation  for  wide¬ 
spread  adoption  of  IT  throughout  health  care.  Indeed, 
electronic  records  are  essential  to  the  future  of  the 
health-care  industry,  according  to  Gary  A.  Mecklen¬ 
burg,  president  and  CEO  of  Northwestern  Memorial 
Healthcare  and  a  memberof  the  commission,  hence 
the  need  for  industrywide  interoperability  standards. 
“Those  of  us  in  health  care  have  to  get  over  thinking 
this  is  a  choice,”  Mecklenburg  said  at  the  commis¬ 
sion’s  inaugural  meeting  in  reference  to  adopting  IT. 
“We  must  have  technology.  It’s  the  cost  of  doing 
business.  That’s  what  we  have  to  get  over.” 

The  commission  has  until  Oct.  31  to  deliver 
a  plan  for  interoperability  among  health-care  IT 
systems  to  Congress.  -Grant  Gross 


28  MARCH  15,  2005  |  www.cio.com 


EDITED  BY  EL  ANA  VARON 


IRS:  File  Corporate 
Taxes  Online 

Electronic  returns  required  for2005  taxyear 


A  new  IRS  regulation  requir¬ 
ing  the  largest  corporations  to 
file  future  tax  returns  electroni¬ 
cally  is  likely  to  require  changes 
to  company  financial  systems 
during  the  next  year. 

In  January,  the  IRS  said  it 
would  require  some  11,000  cor¬ 
porations  with  assets  of  $50  mil¬ 
lion  or  more  and  that  file  at  least 
250  tax  forms  to  file  their  2005 
returns  (due  in  2006)  electroni¬ 
cally.  The  requirement  also 
applies  to  about  1,000  tax- 
exempt  organizations  with 
assets  of  $100  million  or  more. 
As  many  as  19,000  additional 
corporations  and  tax-exempt 
organizations  with  assets  of  at 
least  $10  million  will  have  to  file 
electronically  beginning  with 
their  2006  returns. 

The  requirement  is  part  of  the 
IRS’s  effort  to  streamline  its  oper¬ 
ations  and  offer  quicker  service 
to  companies,  says  Deborah 
Nolan,  commissioner  of  the  Large 
and  Mid-Size  Business  Division 
at  the  IRS.  For  example,  the  IRS 
will  be  able  to  more  quickly  flag 
irregularities  in  electronic  returns 
and  to  provide  tax  advice  through 
secure  e-mail  messages. 

Just  how  prepared  companies 
are  to  file  electronically  is  unclear 
because  the  IRS  only  began  to 
accept  electronic  forms  from  them 
last  summer.  Not  many  compa¬ 
nies  have  had  the  opportunity  to 
use  the  online  filing  service.  For 


convenience  store  chain  7-Eleven, 
the  requirement  should  not  be 
onerous.  “We  don’t  expect  the 
regulation  to  have  much  of  an 
impact  on  our  IT  group,”  says 
company  Public  Relations  Direc¬ 
tor  Margaret  Chabris. 

But  7-Eleven  may  be  the  excep¬ 
tion,  warns  Timothy  McCormally, 
executive  director  of  the  Tax 
Executives  Institute,  an  advocacy 
group  representing  corporate  tax 
preparers.  While  most  companies 
support  the  idea  of  electronic 
filing,  “the  devil  is  in  the  details,” 
he  says.  Corporations  use  a  vari¬ 
ety  of  software  to  keep  track  of 
tax  information,  from  Excel 
spreadsheets  to  legacy  financial 
systems.  McCormally  worries 
that  the  IRS  will  not  be  able  to 
accept  all  the  different  formats 
that  corporations  use,  and  that 
companies  will  be  hard-pressed 
to  quickly  buy  and  install  soft¬ 
ware  that  the  IRS  can  accept. 

To  address  this  problem,  the 
IRS  is  working  with  more  than 
a  dozen  software  vendors  and 
accounting  firms  to  develop 
technical  standards,  including 
business  rules  for  online  filing 
and  use  of  XML. 

-Allan  Holmes 


Get  More  Washington  News 


Read  Senior  Writer  Ben  Worthen's 

TECH  POLICY  BLOG  for  the  latest 
at  www.cio.com/blogs. 

cio.com 


t*y  Return  for  an  S  Corporation 
U.S.  income  Tax  R^u  the  corporaVlon  has  ,melv 

„  Do  -t an  S  corporation. 

►  see  separate 

_ _ _ _ _ —— — - -  and  ending 


OMB  No.  1545-0130 

!©04 


of  s 


I  Use  the 


Name 


FREE... 

Directory  Assistance 
Available  on  Your  Website 

If  you  have  a  website  and  you  are  not  offering  Directory  Assistance, 
you  are  missing  out  on  a  valuable  service  needed  by  your  site  users. 


Only  fonecart.com ™  provides 
phone  numbers  and  addresses, 
plus  exclusive  information  not 
available  with  phone  company 
directory  assistance  or  other 
popular  websites. 

220  Million  People 

•  Estimated  Household  Income 

•  Years  at  Address 

•  Dwelling  Type 

•  Estimated  Home  Value 

14  Million  Businesses 

•  Phone  Number 

•  Address/Location 

•  Years  in  Business 

•  Name  of  Owner 


We  can  offer  FREE  Directory  Assistance  to  your  users. 

We  will  even  create  a  Private  Label  for  you  so  your  users  will  think  it’s 
offered  by  you.  And,  the  best  part  is,  it’s  FREE  and  no  charge  to  you! 


fonecart.com ™ 

Call  David  Schajatovic  at  866.594.3221 
and  receive  a  FREE  30-Day  Trial! 


tone  cart 

a  division  of  infoVSX 


.com 


5711  S.  86th  Circle  Phone:  866.594.3221 

PO  Box  27347  Fax:  650.389.0707 

Omaha,  NE  68127  www.fonecart.com 


Tsunami  Relief 
Via  Laptop 

portals  When  the  first  tsunami  struck 
the  coast  of  Sri  Lanka  at  roughly  8:30  a.m. 
on  Dec.  26, 2004,  Sanjana  Hattotuwa  was  at 
home  in  a  suburb  12  kilometers  south  of 
Colombo,  on  that  country’s  west  coast.  He 
remained  blissfully  unaware  of  the  tragedy 
until  his  phone  rang  at  10:30  a.m. 

Within  two  hours,  Hattotuwa  set  up  the  Sri 
Lanka  Tsunami  Aid  Portal,  an  information¬ 
sharing  network  that  would  become  vital  to 
the  Sri  Lankan  government  and  relief  work¬ 
ers  alike.  And  he  did  it  from  his  laptop  at 
home,  using  a  tenuous  dial-up  connection. 

Hattotuwa  is  strategic  manager  and  CIO 
of  Info-Share,  a  nongovernmental  organiza¬ 
tion  that’s  using  technology  to  facilitate  peace 
in  Sri  Lanka,  where  20-plus  years  of  ethnic 
conflict  have  left  more  than  65,000  people 
dead.  So  the  organization  had  already  estab¬ 
lished  relationships  with  key  stakeholders 
in  the  peace  process,  and  had  long  been 
using  collaborative  work  spaces  from 
Groove  Networks  to  allow  such  stakeholders 
to  exchange  information  and  work  together. 


In  the  village  of  Onthatchimadam  on  Sri  Lanka's  eastern  coast, 

Tsunami  victims  wait  in  line  for  aid. 


(Geography,  emotions,  politics  and  the  coun¬ 
try’s  violent  history  make  it  difficult  to  bring 
these  people  together  in  the  physical  world; 
he  was  therefore  able  to  spring  into  action  by 
setting  up  a  work  space  to  serve  as  a  clear¬ 
inghouse  for  tsunami  information.) 

With  no  broadband  available  and  with 
callers  jamming  the  phone  lines  that  hadn’t 
been  obliterated,  it  took  Hattotuwa  25  to 
30  tries  to  get  a  dial-up  connection.  “But 
once  you’re  connected,  it’s  very  easy  to 
disseminate  information,”  he  says.  “The 
architecture  allowed  us  to  get  information  to 
people  at  a  time  when  most  of  the  telephone 


[infrastructure]  was  crumbling.” 

Hattotuwa  initially  stored  about  50MB  of 
information— including  maps,  multimedia 
files,  news  stories  and  photographs— on  his 
laptop  for  the  work  space.  As  of  February, 
the  work  space  contained  more  than  1GB 
and  was  hosted  on  Groove’s  servers.  While 
Hattotuwa  isn’t  certain  how  his  endeavors 
have  directly  affected  relief  efforts,  he’s 
hopeful  that  the  Sri  Lanka  Tsunami  Aid 
Portal  has  helped  the  government  assess 
the  impact  of  the  disaster  and  determine 
how  to  address  needs. 

-Alice  Dragoon .]  j 


Burton  and  Motorola's  Jacket 

features  speakers  in  the  hood  and 
a  control  panel  on  the  sleeve. 


High-Tech 

WEARABLE  TECHNOLOGY 

Next  ski  season,  snowboarding 
equipment  manufacturer  Burton 
will  unveil  a  new  line  of  outerwear 
that  the  company  designed  with 
Motorola.  The  jackets,  helmets  and 
beanies  will  be  equipped  with  cell 
phone  and  MP3  player  technology 
so  that  snowboarders  can  toggle 
between  talking  on  the  phone  and 
listeningto  music. 

Bruce  Hawver,  vice  president 
of  Motorola’s  companion  prod¬ 
ucts  division,  says  boarders  can 
use  their  own  cell  phones  and 
MP3  players  as  long  as  they're 
Bluetooth-enabled,  or  they  can 
buy  products  with  the  devices 
wired  in.  Hawver  says  the  jackets 


Fashion  on 

feature  a  control  module  on  one 
sleeve  that  uses  Bluetooth  wire¬ 
less  technology  to  communicate 
with  the  cell  phone  and  the  MP3 
player  and  to  switch  between  the 
two.  For  example,  when  a  snow- 
boarder  gets  a  call,  the  control 
panel  automatically  pauses  the 
music  and  displays  the  caller 
information.  The  wearer  can  accept 
or  reject  the  call  with  the  touch  of 
■a  button.  A  microphone  in  the 
jacket  zipper  picks  up  the  wearer’s 
voice,  and  speakers  in  the  hood 
and  helmet  allow  the  wearer  to 
hearthe  call  or  listen  to  tunes. 

Sound  cool? 

The  consensus  among  a  group 
of  snowboarding  instructors  at 


the  Slopes 

the  Stratton  Mountain  ski  resort 
in  Vermont  is  that  these  products 
are  for  the  “joeys”— the  preteen 
and  teenage  wanna-bes  whose 
parents  can  afford  to  buy  such 
extravagancies  for  them.  Accord¬ 
ing  to  Burton  spokeswoman 
Nancy  Carlson,  the  jackets  will 
cost  about  $499. 

The  outlook  was  more  positive 
at  Sid  and  Dusty’s  snowboard 
shop  in  Stratton  Village,  where 
employee  Phil  Galante  thinks 
the  new  products  will  fly  off  the 
racks.  “People  want  better,  newer 
technology  that  makes  it  easier 
to  communicate.  I  think  people 
will  eat  it  up." 

-Meridith  Levinson 


30  MARCH  15,  2005  |  www.cio.com 


PHOTO  TOP  BY  AP/WIDE  WORLD  PHOTOS;  BOTTOM  COURTESY  OF  MOTOROLA 


Kodak  Service  &  Support 


Ultimate  capabilities. 

Maximized  uptime.  No  limits. 


From  optical  and  tape  libraries  to  NAS/SAN,  trust  KODAK  Service  &  Support  to  provide  your  company 
with  ultimate  service  capabilities.  As  a  leading  service  provider,  Kodak  offers  highly  trained,  certified 
field  engineers  ready  to  assist  you  whenever  and  wherever  you  need  it.  Not  to  mention  parts  available 
worldwide  and  exceptional  onsite  and  help  desk  service  24/7.  It  all  adds  up  to  maximized  uptime— and 
maximized  margin  potential  for  your  company. 

For  more  information  and  a  complete  list  of  manufacturers  we  service,  call  1-800-944-6171 
or  visit  www.kodak.com/go/storageservices. 


Featured  storage  manufacturers  we  service: 

ADIC;  Quantum/ATL;  StorageTek;  LeftHand  Networks;  Xyratex;  Plasmon; 
Spectra  Logic;  Breece  Hill  and  more. 


Kodak,  2005.  Kodak  is  a  trademark  of  Eastman  Kodak  Company. 


IBM  recommends  Microsoft®  Windows®  XP  Professional 


IBM  ThinkPad  R  Series 
(model  not  featured) 


GO  with  IBM  Think  Express  Program 

IBM  Think  Express  models  are  configured  and  priced 
with  small  to  medium-size  businesses  in  mind. 


IBM  rated  #1  in  tech  support  for  desktops 
and  notebooks  by  PC  Magazine  readers. 
PC  Magazine  17th  Annual  Reader 
Satisfaction  Survey  -  July  14,  2004 


’Availability:  All  offers  subject  to  availability.  IBM  reserves  the  right  to  alter  product  offerings  and  specifications  at  any  time,  without  notice.  IBM  is  not  responsible  for  photographic  or  typographic  errors.  ’Pricing:  does 
not  include  tax  or  shipping  and  is  subject  to  change  without  notice.  Reseller  prices  may  vary.  Starting  price  may  not  include  a  hard  drive,  operating  system  or  other  features.  Price  may  include  applicable 
discounts.  Warranty:  For  a  copy  of  applicable  product  warranties,  write  to:  Warranty  Information,  P.O.  Box  12195,  RTP,  l\IC  27709,  Attn:  Dept  JDJA/B203.  IBM  makes  no  representation  or  warranty  regarding 
third-party  products  or  services.  Footnotes:  (1)  Embedded  Security  Subsystem:  requires  software  download.  (2)  Mobile  Processor:  Power  management  reduces  processor  speed  when  in  battery  mode.  (3)  Wireless  11a, 
11b  and  11g:  based  on  IEEE  802.11a,  802.11b  and  802.1 1  g,  respectively.  An  adapter  with  1 1  a/b,  1 1  b/g  or  1  la/b/g  can  communicate  on  either  or  any  of  these  listed  formats  respectively;  the  actual  connection  will  be  based 
on  the  access  point  to  which  it  connects.  (4)  Included  software:  may  differ  from  its  retail  version  (if  available)  and  may  not  include  user  manuals  or  all  program  functionality.  License  agreements  may  apply.  (5)  Memory: 
For  PCs  without  a  separate  video  card,  memory  supports  both  system  and  video.  Accessible  system  memory  is  up  to  64MB  less  than  the  amount  stated,  depending  on  video  mode.  (6)  Hard  drive: 
GB  =  billion  bytes.  Accessible  capacity  is  less;  up  to  4GB  is  service  partition.  (8)  Limited  warranty:  Support  unrelated  to  a  warranty  issue  may  be  subject  to  additional  charges.  (9)  ServicePac  services:  are  available  for 
machines  normally  used  for  business,  professional  or  trade  purposes,  rather  than  personal,  family  or  household  purposes.  Service  period  begins  with  the  equipment  date  of  purchase.  Service  levels  are  response-time 
objectives  and  are  not  guarantees.  If  the  machine  problem  turns  out  to  be  a  Customer  Replaceable  Unit  (CRU),  IBM  will  express  ship  the  part  to  you  for  quick  replacement.  Onsite  24x7x2-hour  service  is  not  available  in  all 


MOBILE 

TECHNOLOGY 


Put  a  solid  barrier  between  your 

wireless  PC  and  thieves.  Select  IBM  wireless 

ThinkPad®  notebooks,  like  the  ThinkPad  X40  featured  to  the  right,  offer 
an  added  layer  of  data  protection  —  a  vaultlike  combination  of  a  built-in 
security  chip  and  sophisticated  data  encryption  software!1  In  fact,  it’s 
so  advanced,  it  actually  makes  data  unreadable  if  tampered  with. 
And  only  IBM  offers  PCs  with  this  level  of  security  as  a  standard  feature. 
Plus,  with  Intel®  Centrino™  Mobile  Technology  and  on-the-fly  folder 
encryption,  users  can  work  wherever  they  please,  knowing  that  their 
data  will  be  protected.  No  matter  who’s  lurking  around.  Instead 

of  a  welcome  mat. 


Embedded  Security  Subsystem.  Only  on  a  ThinkPad. 

Contact  your  IBM  Business  Partner  or  go  to 
ibm.com/shop/in559  to  locate  the  nearest  reseller. 


IBM  ThinkPad  G41 

Ultimate  Value 

Distinctive  IBM  Innovations: 

•  IBM  Rescue  and  Recovery™  -  One-button 
recovery  and  restore  solution 

•  Access  IBM  -  IBM  help  at  your  fingertips 

System  Features: 

•  Mobile  Intel®  Pentium®  4  Processor  532 
(3.06GHz)2  with  HT  Technology 

•  Microsoft  Windows  XP  Home  Edition4 
•14.1"  XGA  TFT  display  (1024x768) 
•128MB  DDR  SDRAM5 

•  30GB  hard  drive6 
•CD-ROM 

•  ComfortSlant  keyboard 

•  EasyPivot  base 

•  1-yr  system/battery  limited  warranty8 


NavCode  288157U-M559 

MODEL  PRICED  AT:  $999* 

$36/mo  for  36  months 
SuccessLease  for  Small  Business19 
ServicePac®  Service  Upgrade:9 
3-yr  Depot  Repair  #30L91 92  $132 


IBM  ThinkPad  X40 

Our  thinnest  and  lightest 

Distinctive  IBM  Innovations: 

•  IBM  Embedded  Security  Subsystem  2.0 

•  IBM  Rescue  and  Recovery™  - 
One-button  recovery  and  restore  solution 

System  Features: 

•  Intel®  Centrino™  Mobile  Technology 

•  Intel®  Pentium®  M  Processor  ULV  713  (1.10GHz) 

•  Intel®  PRO/Wireless  Network  Connection  802.1 1  b/g3 

•  Microsoft  Windows  XP  Professional 
•12.1"  XGA  TFT  display  (1024x768) 

•  256MB  DDR  SDRAM 

•  20GB  hard  drive 

•  Integrated  Gigabit  Ethernet  and  modem 

•  Legendary  IBM  full-size  keyboard10 

•  Only  .94"  thin" 

•  2.7-lb  travel  weight12 

•  1-yr  system/battery  limited  warranty8 


NavCode  2386A4U-M559 

THINK  EXPRESS  MODEL  PRICED  AT: 


$1,499* 


$54/mo  for  36  months 
SuccessLease  for  Small  Business 


locations.  For  ThinkPad  notebooks  requiring  LCD  or  other  component  replacement,  IBM  may  choose  to  perform  service  at  the  depot  repair  center.  Calls  must  be  received  by  5pm  local  time  in  order  to  qualify  for  Next  Business 
Day  service.  (10)  Full-size  keyboard:  As  defined  by  ISO/IEC  15412.  (11)  Thinness:  may  vary  at  certain  points  on  the  system.  (12)Travel  weight:  includes  battery  and  optional  travel  bezel  instead  of  standard  optical  drive  in 
Ultrabay  bay.  if  applicable:  weight  may  vary  due  to  vendor  components,  manufacturing  process  and  options.  (19)  SuccessLease:  SuccessLease  program,  rates  and  terms  are  provided  by  third-party 
financiers  approved  by  IBM  Global  Financing  to  credit-qualified  business  customers  installing  in  the  U.S.  Featured  monthly  lease  payments  based  on  prespecified  end-of-lease  purchase  option;  documentation  fee  and  first 
month's  payment  due  at  lease  signing;  taxes  are  additional.  Options  cannot  be  leased  separately.  IBM  and  IBM  Global  Financing  reserve  the  right  to  alter  product  offerings,  specifications  or  financing  terms  at  any  time, 
without  notice  Trademarks:  The  following  are  trademarks  or  registered  trademarks  of  IBM  Corporation:  IBM,  the  IBM  logo.  Rapid  Restore,  Rescue  and  Recovery,  ThinkPad,  Ultrabay,  UltraConnect  and  UltraNav.  Microsoft 
and  Windows  are  registered  trademarks  of  Microsoft  Corporation.  Intel,  Intel  Xeon,  Intel  Inside,  Intel  Inside  logo,  Intel  Centrino,  Intel  Centrino  logo,  Intel  SpeedStep  and  Pentium  are  trademarks  or  registered  trademarks  of 
Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of  other  companies.  ©2004  IBM  Corporation.  All  rights  reserved 
Visit  www.ibm.com/pc/salecompuling  periodically  for  the  latest  information  on  safe  and  effective  computing. 


Patricia  Wallington  total  leadership 


Leader,  Fix  Yourself 

If  your  staff  isn’t  doing  the  work  you  expect  of  them,  you  may  be  the  one 
who  needs  to  improve  your  performance 


Admit  it.  Some  days  when  nothing  is  going  right, 
we  would  like  to  fire  everyone  and  start  over  again. 
Of  course,  we  know  that  is  neither  practical  nor 
realistic.  Certainly  we  should  be  able  to  come  up 
with  a  strategy  for  “fixing”  our  employees.  Ah,  but  maybe  it’s  not 
them  who  are  causing  the  problems.  Consider  for  just  a  moment 
what  role  you  play  in  the  dysfunction.  Perhaps  it  is  you  who 
needs  “fixing.” 

Our  tendency  to  blame  others  became  obvious  to  me  when  I 
was  a  coach  for  a  senior  executive  in  a  large  corporation.  He 
asked  me  to  work  with  two  of  his  direct  reports  who  were  always 
at  loggerheads.  While  coaching  these  managers,  I  became  aware 
that  the  executive  had  established  a  competitive  environment. 
His  tendency  to  act  based  on  one-sided  versions  of  events,  his 
manipulation  of  key  resources  to  the  detriment  of  one  manager 
over  the  other  and  his  open  acknowledgement  that  he  was 
grooming  a  successor  led  each  manager  to  view  the  other  as  a 
competitor.  Each  saw  anything  the  other  did  with  a  jaundiced 
eye,  and  teamwork  was  nonexistent.  I  had  to  identify  strategies 
for  the  executive  and  his  managers  to  create  a  more  collaborative 
environment.  But  more  on  that  later. 

Look  in  the  Mirror 

Before  you  can  revise  your  behavior,  you  have  to  identify  it.  You  can 
do  this  by  first  considering  how  you  might  be  contributing  to  any 
given  problem.  Through  honest  self-criticism,  you  will  almost 
always  find  something  worth  improving  upon.  Second,  use  a 
360-degree  feedback  system  to  give  you  the  clues  on  what  to 
change.  You  should  be  able  to  tie  the  feedback  to  the  problems  in  the 
organization.  Third,  communicate  openly  with  your  staff  and  peers 


3  4 


MARCH  15,  2005  |  www.cio.com 


ILLUSTRATION  BY  BRAD  YEO/THEISPOT.COM 


“Guardian  uses 
Primavera 
to  run  IT 
like  a  business.” 

—  Dennis  S.  Callahan,  EVP  and  CIO 

The  Guardian  Life  Insurance  Company  of  America 


“Since  2000,  we’ve  cut  our  IT  budget  30% 
while  increasing  the  level  of  service  to  our 
business  units. 

Guardian’s  IT  operations  are  business-driven,  not 
technology-driven.  Our  business  units  define  their 
business  needs,  and  those  needs  drive  IT  investment 
strategies  and  plans.  With  Primavera’s  solution  for 
project,  resource  and  portfolio  management,  we  can 
judge  every  request  and  project  in  progress  against 
how  it  meets  predefined  business  requirements. 

We  don’t  waste  money  on  projects  that  don’t  give 
us  the  best  business  return  on  investment. 

Now,  our  business  units  and  IT  have  the  same 
objectives,  the  same  agenda,  the  same  priorities. 
Primavera’s  software  solution  plays  a  major  role 
in  making  that  happen.” 


PRIMAVERA 

project  success  =  business  success' 


View  the  Guardian  video 
and  learn  more  about  other 
Primavera  customer  success  stories 
at  www.primavera.com/guardian. 


©2005  Primavera  Systems,  Inc. 


Patricia  Wallington 


TOTAL  LEADERSHIP 


so  that  they  feel  free  to  let  you  know  what  they  need  from  you. 

Your  boss  can  be  helpful  as  well.  Make  a  practice  of  asking  her 
for  input.  Often,  she  will  have  the  experience  that  enables  her  to 
see  your  problem  clearly.  Once,  when  I  was  going  through  a 
division  reorganization,  I  could  not  settle  on  a  workable  plan. 
When  I  asked  my  boss  for  help,  he  saw  immediately  why  I  had 
a  problem.  “You  have  four  jobs  and  three  people,  and  no  amount 
of  juggling  is  going  to  solve  that,”  he  said.  “You  have  to  hire 
another  manager.”  Without  this  advice,  I  might  still  be  juggling. 

Leadership  Makeover 

Here  are  a  few  common  situations  where  your  approach  to 
management  can  have  a  negative  effect  on  your  staff’s  per¬ 
formance,  and  some  suggestions  for  fixes. 

■  LACK  OF  TEAMWORK  Ifgetting  your  staff  to  workasateam 
is  a  problem,  you  may  be  fostering  an  excessively  competitive 


activities.  Drawing  the  line  between  being  involved  and  being 
overinvolved  can  be  difficult.  You  know  you  have  a  problem 
when  everyone  turns  to  you  for  decisions  you  feel  should  be 
made  by  your  staff.  Moving  them  from  order-taking  and 
upward  delegation  will  require  you  to  step  back.  If  asked  for 
help,  you  need  to  be  a  coach,  and  subdue  your  tendency  to  take 
over  when  things  move  more  slowly  than  you  would  like. 

■  POOR  COMMUNICATION  If  your  staff  tells  you  only  what 
you  want  to  hear,  it  may  be  because  you  discourage  bad  news. 
Lacking  the  facts  about  any  situation,  your  decisions  will 
become  increasingly  flawed.  Consider  also,  whether  your  com¬ 
munications  with  your  staff  send  a  clear  message  about  your 
expectations.  If  you’re  vague  about  what  you  want  from  them, 
you  won’t  get  the  crisp  action  and  results  you  expect.  Simple 
information— for  example,  who  is  in  charge  of  a  project,  what 
their  tasks  are  and  when  they  must  deliver— goes  a  long  way 


Staff  decision  making  is  stifled  when  you  micromanage. 
Be  a  coach,  and  subdue  your  tendency  to  take  over. 


1 1 


Ns! 


environment.  Divisive  behavior  is  not  always  conscious.  For 
instance,  you  may  unwittingly  be  favoring  one  or  more  staff 
members  over  others  by  always  giving  the  same  people  the 
choice  assignments  or  the  bigger  budgets.  More  deliberate 
action,  such  as  assigning  overlapping  activities  to  multiple 
individuals,  is  another  way  that  you  could  be  fostering  compe¬ 
tition  at  the  expense  of  teamwork. 

My  advice  to  the  executive  client  whose  case  I  already 
described  was  to  set  some  ground  rules  for  conflict  resolution. 
First,  the  affected  managers  would  attempt  to  resolve  their  dis¬ 
pute  themselves.  If  they  couldn’t  agree,  they  would  approach  the 
boss  together.  The  boss,  meanwhile,  agreed  not  to  take  action  on 
only  one  manager’s  complaint.  Once  the  three  reached  a  reso¬ 
lution,  they  all  agreed  to  support  it.  As  simple  as  this  sounds,  it 
created  a  strong  team  and  lessened  the  stress  in  the  organization. 
■  INABILITY  TO  EXECUTE  Punishing  mistakes  can  freeze  an 
organization  into  inaction  and  chill  its  willingness  to  take  risks. 
One  of  my  mentors  taught  me  that  those  who  try  to  do  new 
things  and  sometimes  fail  are  infinitely  better  employees  than 
those  who  always  succeed  but  never  try  anything  different. 

Following  this  principle  will  help  you  establish  an  action- 
oriented  environment.  I  once  created  an  award  that  was  given 
to  the  individual  with  the  most  innovative  idea  each  month. 

How  surprised  people  were  when 
the  first  award  went  to  an  idea  that 
didn’t  work!  The  award  gave  me  the 
opportunity  to  make  my  point  about 
the  value  of  taking  risks  in  order  to  do 
new  things  or  do  old  things  in  new  ways. 

Independent  decision  making  is 
also  stifled  when  you  micromanage 


Add  a  Comment 


Have  you  ever  discovered  that  it 
was  your  approach  to  leadership 
that  needed  fixing?  What  did  you 
do  to  set  things  straight?  Go  to 
the  online  version  of  this  column 
to  VOICE  YOUR  OPINION. 

cio.com 


toward  clarifying  roles,  responsibilities  and  expectations. 

The  value  of  open  and  clear  communication  was  brought 
home  to  me  once  by  a  member  of  my  staff.  I  was  frustrated 
that  our  IT  strategy  wasn’t  being  implemented,  and  I  was 
beginning  to  be  concerned  about  the  staff’s  competence.  One 
of  my  managers  spoke  up  to  let  me  know  that  the  group 
needed  more  specifics.  Once  I  provided  them,  the  strategy  was 
implemented. 

■  LOW  MORALE  Projecting  your  unhappiness  with  company 
decisions  may  satisfy  your  need  to  vent,  but  the  toll  on  morale 
will  be  high.  Your  role  is  building  commitment  to  company 
objectives.  Consider  each  communication  from  two  perspec¬ 
tives:  how  you  feel  about  it  personally  and  how  you  feel  about  it 
as  a  leader.  It  is  the  latter  that  is  relevant  to  your  people. 

You  can  acknowledge  employees’  concerns  about  a  decision 
without  interjecting  your  personal  concerns.  Provide  balance 
by  pointing  out  the  company  rationale  for  the  action.  In  your 
leadership  role,  you  will  communicate  the  content  and  the  sup¬ 
portive  attitude  that  will  enable  your  people  to  get  behind  the  deci¬ 
sion,  commit  to  its  implementation  and  be  proud  of  their  efforts. 

Understanding  how  your  actions  affect  the  organization 
and  being  willing  to  learn  new  ways  of  leading  and  motivating 
your  employees  are  marks  of  a  good  leader.  Not  only  will  they 
make  you  a  more  effective  leader,  but  they  will  also  help  all 
those  who  look  to  you  as  a  role  model  to  be  more  effective. 
What  can  be  better  than  that?  H0 

Before  retiring  in  1999,  Patricia  Wallington  was 
corporate  vice  president  and  CIO  at  Xerox.  She  is 
now  president  of  CIO  Associates  in  Sarasota,  Fla. 

Send  feedback  to  leadership@cio.com. 


3  6 


MARCH  15,  2005  |  www.cio.com 


We  couldn’t  have  been 
happier  with  the  35% 
increased  productivity 
Citrix  gave  our  28,900 
users.  Until  they  reduced 
our  internal  IT  costs 


Reiner  Schmitt,  IT  Manager 

SAP  AG 


INFRASTRUCTURE  FOR  THE  ON-DEMAND  ENTERPRISE 

As  the  recognized  leader  in  providing  collaborative 
business  solutions  for  all  types  of  industries  and  for 
every  major  market,  SAP  knows  the  value  of  an  efficient 
enterprise.  So  when  they  needed  their  own  28,900 
employees  to  have  better  access  to  mission-critical 
applications,  SAP  did  what  99%  of  the  Fortune  500  have 
already  done.  They  turned  to  Citrix®  software  to  deploy 
more  than  40  applications  centrally,  including  mySAP,M 
Business  Suite,  for  secure,  easy,  and  instant  access  to 
business-critical  information— anywhere,  anytime, 
from  any  device.  We  call  it  the  on-demand  enterprise. 
And  it’s  helping  more  than  120,000  of  our  customers 
save  money  and  reduce  IT  complexity.  To  learn  what 
Citrix  can  do  for  your  business,  call  888-820-7918  or 
visit  www.citrix.com. 


CiTRIX 


©2004  Citnx  Systems,  me.  Al  rights  reserved.  Otnx  is  a  roistered  trademark  of  Citnx 
Systems.  Inc.  n  the  U.S.  and  other  countriesAJ  other  trademarks  and  roistered 
trademarks  are  the  properly  d  their  respective  owners.  SAP.  mySAP  my  SAP  com, 
xApps.  xApp,  SAP  NetWeever  and  other  SAP  products  and  services  mentioned  neren 
as  wal  as  their  respective  logos  are  trademarks  or  mastered  trademarks  d  SAP  AG  in 
Germany  and  in  several  other  couitnes  al  over  the  world,  fit  other  product  and  service 
names  mentioned  are  the  trademarks  of  their  respective  oomperces 


IT'S  ALL  ABOUT  THE  EXECUTION 


Michael  Schrage 


Ethics,  Shmethics 

CIOs  should  stop  trying  to  do  the  “right  thing’’  when  implementing  IT  and  focus  instead 
on  getting  their  implementations  right 


Be  honest.  Would  you  look  your  employees  in  the  eye 
and  tell  them  something  that  wasn’t  quite  true  if  it 
would  dramatically  increase  the  chance  that  your 
key  IT  implementation  would  be  finished  on  time 
and  on  budget?  I  would. 

How  about  deliberately  withholding  important  information 
from  your  boss  because  you  know  that  its  disclosure  would 
provoke  his  immediate  counterproductive  intervention  in  an 
important  project?  I  would. 

Suppose  that  once  your  major  CRM  system  implementation 
is  completed  and  rolled  out  in  a  year,  your  company  plans  to  out¬ 
source  maintenance  and  support.  There’s  a  better  than  60  percent 
chance  that  you’ll  lay  off  two-thirds  of  the  IT  workers  who  were 
involved.  Is  it  “unethical”  for  you  not  to  fully  disclose  the  details 
of  their  possible  future  (or  lack  thereof)  as  they  work  feverishly 
to  make  deadline?  I  don’t  think  so;  do  you? 

I’m  provoked  into  asking  these  questions  by  an  accelerating 
and  dangerous  trend  infecting  boardroom  and  office  suite 
discussions.  That  trend  is  the  pea-brained  “ethics-ification”  of 
business  decision  making  and  implementation:  CEOs  are  sup¬ 
posed  to  be  Chief  Ethics  Officers;  CIOs  should  be  Chief  Integrity 
Officers.  How  noble.  How  politically  correct.  How  silly. 

Much  like  “quality”  in  the  ’80s,  “ethics”  and  “integrity”  have 
become  business  buzzwords,  materializing  in  too  many  CEO 
internal  communications  and  speeches.  Many  well-intentioned 
and  well-educated  people  think  this  “ethical  emphasis”  is  a 
healthy  development;  I  don’t.  I  think  it’s  awful. 

Today’s  emphasis  on  ethics  sets  up  C-level  executives— CIOs 
in  particular— to  be  branded  as  liars  and  hypocrites.  Why? 
Because  the  ethics  of  effective  implementation  are  seldom  com¬ 
patible  with  the  implementation  of  effective  ethics.  So  am  I 


3  8 


MARCH  15,  2005  |  www.cio.com 


ILLUSTRATION  BY  MICHAEL  MORGENSTERN 


Managing  some  of  the  parts 

or  the  sum  of 
the  parts? 


Maximize  IT  value  with  integrated 
IT  management  and  governance 

IT  is  a  complex  business  within  a  business: 
a  set  of  interdependent,  business-critical 
functions  that  your  organization  relies  on  to 
succeed.  Effective  governance  requires 
seamless  control  and  a  clear  understanding 
of  how  these  parts  work  together. 
Compuware  IT  Governance  by  Changepoint 
gives  you  the  power  to  manage  IT  as  an 
integrated  whole  and  maximize  the  value 
of  every  project,  application  and 
infrastructure  investment. 


Awarded  “Best  Solution”  by 
attendees  at  the  Gartner  Project  and 
Portfolio  Management  2004  Conference 

Visit  our  Governance  Resource  Center  at 
www.compuware.com/governlT 
for  expert  views  on  IT  Governance 


*  Compuware 


Mmm 


- 


sdptfili 

- 


IT  Governance 


by  Changepoint 


Learn  more  about  Compuware  IT  Governance  by  Changepoint,  including  our  latest  capabilities 
in  portfolio  management,  at  www.compuware.com/ITgovernance. 


COMPUWARE 


r-% 

!! 

»  iSg 
S&.  JSSs 


www.compuware.com 


Michael  Schrage  IT'S  ALL  about  the  execution 


advising  CIOs  that  effective  IT  implementation  is  inherently 
unethical?  Of  course  not.  What  I’m  saying— moreover,  what 
I’ve  observed— is  that  the  ethical  conflicts  IT  most  frequently 
confronts  have  less  to  do  with  dishonorable  executive  behavior 
than  with  the  genuine  clash  of  competing  business  principles. 
Too  many  people  are  trying  to  turn  legitimate  business  dis¬ 
agreements  into  illegitimate  ethical  conflicts. 

Unfortunately,  today’s  “ethics  industry”  provides  little  to  no 
meaningful  guidance  to  any  serious  IT  executive.  Take  a  few 
moments  to  review  the  academic  literature  and  “business 
ethics”  curricula;  you’ll  burst  out  laughing  at  their  naivete  and 
fundamental  dishonesty.  They’re  con  jobs  in  idealism. 

Even  worse,  look  at  the  mainstream  media— The  New  York 
Times  Magazine’s  Sunday  “ethics  columnist”  in  particular— if 
you  want  to  appreciate  the  glib  and  immature  way  that  truly 
serious  ethical  issues  are  addressed  in  the  public  discourse. 
The  business  press  is  just  as  bad.  The  debacles  of  Enron, 
WorldCom  and  Arthur  Andersen  are  treated  as  case  studies  in 
ethical  failure.  Nonsense.  They  are  case  studies  in  professional 
malfeasance,  fraud  and  criminal  behavior. 

The  Ethics  Trap 

If  you’re  a  CIO  (or  work  with  one)  who  spends  too  much  time 
ensnared  in  ethical  conundrums  about  how  best  to  implement 
this  initiative  or  that  project,  get  out!  CIOs  who  consistently  find 
themselves  managing  the  “ethical”  issues  surrounding  effective 
implementations  are  incompetent.  They  should  be  sacked. 

Successful  IT  leadership  should  mean  fewer  conversations 
and  arguments  about  ethics,  not  more.  The  overwhelming 
majority  of  business  conversations  regarding  ethics  are  a  com¬ 
plete  waste  of  time.  Let’s  have  the  courage  to  be  serious:  What 
do  you  think  will  happen  to  IT  productivity  if  your  develop¬ 
ment  teams  know  that  half  of  them  will  be  laid  off  at  project’s 
end?  If  you  think  this  knowledge  will  have  only  minimal 
impact  on  IT  productivity,  please  send  me  the  name  of  your 
company  so  that  I  can  short  your  stock. 

People  are  people.  Much  the  same  way  that  people  paid  by 
the  hour  tend  not  to  finish  their  work  too  quickly,  people  who 
know  they  will  likely  lose  their  jobs  tend  not  to  be  particularly 
productive  in  their  final  months.  Is  the  CIO  who  fully  discloses 
their  fate  behaving  ethically?  Or  is  he  a  fool  who  chooses  to 
ignore  the  reality  of  human  behavior? 

Champions  of  ethics  assert  that  you’re  a  liar  if  you  don’t  tell 
the  truth,  the  whole  truth  and  nothing  but  the  truth.  Or,  even 
worse,  your  workplace  will  be  swarming  with  rumors  that 
undermine  your  credibility.  Nonsense.  We’re  in  business,  not 
under  oath  in  a  court  of  law.  There  are  rumors  even  in  high- 
trust  organizations.  What  should  the  CIO  and  HR  do?  They 
should  look  their  people  in  the  eye  and  say,  “There  are  always 
rumors.  We’re  not  going  to  spend  our  time  responding  to  them; 
we’re  going  to  spend  our  time  encouraging  people  to  do  the 
best  job  possible.  Whatever  happens,  we’re  going  to  make  every 


To  treat  business  decisions 
as  ethical  challenges  is 
the  road  to  paralyzed  and 
impotent  madness. 

effort  to  treat  our  employees  fairly  and  responsibly.” 

The  essential  problem  of  today’s  “business  ethics”  for  IT  is 
that  ethics  is  assumed  to  mean  “doing  the  right  thing.”  That’s 
harmful  nonsense.  In  fact,  there  is  zero  consensus  around  what 
it  means  to  do  the  right  thing.  If,  indeed,  there  was  such  a  con¬ 
sensus,  then  there  would  be  no  ethical  issue. 

The  fundamental  challenge  of  business  ethics  is  that  there  are 
legitimately  competing  values  for  determining  an  appropriate 
course  of  action.  These  competing  values  are  particularly  con¬ 
tentious  when  running  an  IT  implementation.  If  “full  disclosure” 
means  that  you  can  never  complete  your  IT  project  on  time  and 
on  budget,  then  your  so-called  ethics  guarantee  business  failure. 
At  the  same  time,  deliberately  misrepresenting  your  intentions 
and  obligations  to  the  detriment  of  another  is  beyond  the  pale. 

The  point  is  that  any  IT  implementation  issue  of  any  signif¬ 
icance  can  easily  be  made  into  an  ethical  issue.  Why?  Because 
implementations  are  always— always!— about  competing  pri¬ 
orities.  There  is  no  one  “right  thing”;  there  are  only  possible 
trade-offs.  While  I  freely  acknowledge  that  some  trade-offs 
seem  better  or  more  desirable  than  others,  I  insist  that  those  are 
more  properly  business  decisions  than  ethical  ones.  If  you  set 
an  unattainable  “stretch  goal”  for  your  development  teams  that 
pushes  them  to  be  more  productive  than  they  otherwise  might 
be,  even  if  you  know  they  can’t  possibly  hit  the  proposed  num¬ 
bers,  is  that  an  unethical  managerial  manipulation?  Or  is  it  a 
professional  development  tool  to  push  people  to  perform 
beyond  their  expectations? 

To  treat  business  decisions  as  ethical  challenges  is  the  road  to 
paralyzed  and  impotent  madness.  Why?  Because  businesses 
have  competing  values  for  good  reasons.  How  much  information 
we  will  disclose,  or  how  we  set  our  goals,  should  be  business— 
not  ethical— judgments. 

It’s  time  for  the  IT  community  in  general— and  CIOs  in  par¬ 
ticular— to  give  up  on  trying  to  do  that  “right  thing”  when  run¬ 
ning  an  implementation  and  focus  instead  on  better  managing 
the  competing  priorities  that  occur.  IT  doesn’t  become  a  better 
business  partner  by  becoming  more  ethical;  IT  becomes  more 
ethical  by  becoming  a  better  business  partner.  We  do  that  by 
making  our  partners  aware  that  we  do,  indeed,  make  trade¬ 
offs  between  priorities.  The  reasons  for  making  those  trade-offs 
aren’t  about  ethics;  they’re  about  business. 

That’s  the  way  it  should  be.  BE] 


Michael  Schrage  is  codirector  of  the  MIT  Media 
Lab’s  eMarkets  Initiative.  He  can  be  reached  at 
schrage@media.mit.edu. 


40  MARCH  15,  2005  |  www.cio.com 


PHOTO  BY  JOHN  SOARES 


isiness  losses  are  measured  in 
,  preemption  beats  “reaction”  every  time. 


*  bam  »a»  P-,'M  ,PM 

jig  ,  •  the  netieork  went  down, 

Figure  l  wm  «  MMOOO  per  Hour  *  • 

. 


The  only  effective  security  is  preemption.  This  preemptive  power  is  only  available  with  the  Proventia™  Enterprise  Security  Platform  from  Internet  Security  Systems.  When 
security  flaws  are  discovered,  Internet  Security  Systems’  world-renowned  research  team  updates  Proventia  to  immediately  shield  you  before  attacks  are  released. 
Proventia  keeps  you  off  the  path  to  disaster  by  preemptively  securing  your  entire  IT  infrastructure  with  a  unified  family  of  intrusion  prevention  and  vulnerability 
management  products.  In  fact,  when  we  manage  Proventia  for  you,  we'll  even  guarantee  protection.  Need  proof?  Get  your  free  whitepaper,  Preemptive  Protection: 
Setting  a  New  Standard  in  Security,  at  www.iss.net/proof/CIO  or  call  800-776-2362. 


Q  INTERNET  |  SECURITY  |  SYSTEMS® 

Ahead  of  the  threat. 


NETWORK  &  HOST  INTRUSION  PREVENTION  I  VULNERABILITY  MANAGEMENT  I  MANAGED  SECURITY  SERVICES 


SjSkBersnectives 


the  business.  Getting  the  “science”  part  of  the 

I  nation  right  is  the  easier  part.  The  technologit 
e  known  entities,  and  better  ones  continue  to 
evolve.  There  are  quantitative  measurements 
around  such  issues  as  intrusion  detection,  foren¬ 
sics  and  regulatory  compliance,  along  with  more 
mature  attempts  to  quantify  the  ROI  of  security. 


It’s  the  “art”  of  security  that’s  the  harder  part— the 
art  of  diplomacy,  of  persuasion,  of  getting  into  and 
understanding  other  mindsets.  It’s  everything 
from  establishing  security  procedures  everyone 
will  actually  follow  to  fostering  positive  relations 
with  senior  executives  and  the  board  of  directors. 
It’s  getting  the  staff  to  think  like  a  hacker  or 
terrorist  to  get  ahead  of  potential  threats. 


Join  your  peers  from  business,  industry  and 
government  as  we  tackle  the  challenges  facing 
today’s  senior  security  executives. 


April  10-12, 2005 

Hyatt  Regency  Huntington  Beach 

Huntington  Beach,  CA 


„„  „  *  § 

IT  SPPI 

ii 

rtf 

JJL  kj  1 

LA 

111 

Presented  by 

cso 

The  Resource  for 
Security  Executives 


We'll  examine  this  complex  balancing  act  by  looking  at  what  the  top 
practitioners  are  thinking  and  doing,  and  by  listeningto  what  leading 
security  and  privacy  experts  think  will  affect  the  landscape  of  the  future. 


Governance  and  Convergence: 
Getting  It  Right 

The  convergence  of  physical  and  informa¬ 
tion  security,  if  effectively  governed  within 
an  organization,  assigns  accountability  for 
security  strategy  and  business  plan  cre¬ 
ation  at  the  highest  levels.  It  can  enable 
company  leadership  to  identify,  prioritize 
and  balance  security  issues  and  needs  of 
the  business  through  a  more  comprehen¬ 
sive  approach. 

Enterprise  Risk  Management: 

A  Matter  of  Focus 

Looking  at  and  balancing  risk  on  an  enter¬ 
prise  level  is  the  only  effective  way  to  man¬ 
age  a  corporation  in  our  very  complex 
world.  Explore  how  enterprise  risk  man¬ 
agement  can  give  a  single  view  of  all  types 
of  risks,  and  an  executive-level  manage¬ 
ment  strategy  to  deal  with  them. 

Security  as  a  Business  Enabler 

Perhaps  the  hardest  part  of  security  is  to 
cost  justify  it  and  show  its  value  to  the 
business.  It’s  like  buying  an  insurance  pol¬ 
icy— no  one  really  wants  to  spend  the 
money.  What  if  you  could  prove  that  secu¬ 
rity  really  can  add  value? 

What’s  Privacy  Got  to  Do 
With  It? 

The  importance  of  balancing  privacy  and 
security  in  a  digital  age  is  only  overshad¬ 
owed  by  the  perceived  difficulty  of  actually 
doing  it.  The  current  economic,  legal,  and 
regulatory  challenges  after  9/11  have 
made  it  all  the  more  important  to  ensure 
the  adoption  of  good  laws  and  technolo¬ 
gies  that  protect  privacy  and  security  at 
the  same  time.  We  provide  a  roadmap. 

The  Cost  of  Compliance  vs. 
the  Cost  of  Non-Compliance 

Some  pundits  say  security  on  the  way  to 
becoming  a  fully-regulated  industry,  what 
with  an  increasing  number  of  official 
directives  from  legislative  bodies,  regula¬ 
tory  agencies  and  industry  consortia 
around  the  world.  Toss  in  partially  over¬ 
lapping  or  completely  diverse  require¬ 
ments  from  different  agencies  and  you’re 


guaranteed  that  compliance  will  be  that 
much  more  difficult— and  very,  very 
expensive.  In  this  session,  we  look  at  the 
potential  costs  of  compliance,  weighed 
against  the  risks  of  non-compliance.  What 
can  CSOs  do  to  understand  the  “dollars 
and  sense”  of  it  all,  and  to  prioritize  your 
organization’s  compliance  list? 

Fear  Factor:  Information  Sharing 

In  spite  of  the  number  and  variety  of 
existing  mechanisms  designed  to  enable 
real  information  sharing  among  both 
public  and  private  sector  organizations, 
many  folks  in  the  security  business  say 
they  just  don’t  work.  The  reason:  no 
one’s  really  willing  (or  able,  if  corporate 
legal  counsel  has  their  say)  to  share. 

Yet,  if  no  one  admits  to  vulnerabilities, 
everybody  suffers.  Is  there  a  way  to 
overcome  the  fear  factor  here  and 
make  information  sharing  viable? 

Strategic  Planning:  Developing 
the  Plan  That  Works  for  You 

Developing  a  sound  strategic  security 
plan  will  provide  you  with  the  means 
to  gain  management  concurrence, 
stakeholder  buy-in,  and  team  member 
direction.  How  do  you  strategically 
approach  security?  Do  you  view  it  as 
a  return  on  investment,  from  a  risk 
management  perspective,  or  by  just 
playing  upon  emotions?  This  session 
shows  how  one  organization  developed 
its  security  strategy  from  beginning  to 
end— and  the  measurements  used  to 
determine  its  success.  Knowing  the 
“how”  in  delivering  security  is  just  as 
important  as  the  "what”  you  are 
providing  to  your  organization. 

Plus  More  Peer-to-Peer 
Networking  Opportunities 

•  CSO  Golf  Tournament 

•  Moderated  Discussion  Groups 

•  Luncheon  Discussion  Roundtables 

•  DrillDown  Breakout  Sessions 

•  Networking  Receptions 

•  Sponsor  Hospitalities 


SPEAKERS 

Michael  J.  Assante,  CSO, 

American  Electric  Power 

Bob  Bragdon,  Publisher,  CSO  magazine 

Joyce  Brocaglia,  CEO,  Alta  Associates 

David  Burrill,  CSO,  British  American  Tobacco 

Bob  Hayes,  CSO,  CXO  Media  Inc. /IDG  and 
Former  CSO,  Georgia-Pacific  Corporation 

Nuala  Kelly,  Chief  Privacy  Officer,  DHS 

David  Kent,  CSO,  Genzyme  Corporation 

Richard  Lefler,  Managing  Partner,  Business 
Security  Advisory  Group  and  Retired  Vice 
President  &  Director  of  Corporate  Security, 
American  Express 

Michael  Levin,  Assistant  to  the  Special  Agent  in 
Charge,  Criminal  Investigation  Division,  U.S. 
Secret  Service 

Mark  S.  Lex,  Director,  Global  Security,  Abbott 
Laboratories 

Rhonda  MacLean,  Senior  Vice  President  and 
CISO,  Bank  of  America 

Lew  McCreary,  Editor  in  Chief,  CSO  magazine 

Bhavesh  Patel,  Vice  President,  Information 
Security,  Genzyme  Corporation 

John  Pontrelli,  CSO, 

TriWest  Healthcare  Alliance 

Jeffrey  Rosen,  Professor  of  Law,  George 
Washington  University  and  Author  of  The 
Naked  Crowd  and  The  Unwanted  Gaze 

Jeff  Rosenthal,  Vice  President, 

BlessingWhite,  Inc. 

Marshall  Sanders,  Vice  President, 

Global  Security,  Level  3  Communications 

R.  E.  “Sandy”  Sandquist,  Director  Global 

Howard  Schmidt,  Vice  President  and  CISO, 
eBay 

Krizi  Trivisani,  CISO, 

George  Washington  University 

Ira  Winkler,  Industry  Guru  and  Author  of 
Corporate  Espionage  and  Spies  Among  Us 

Randall  Yim,  Managing  Director,  Homeland 
Security  Institute 

Jonathan  Zittrain,  Conference  Moderator  and 
Cofounder,  Berkman  Center  for  Internet  & 
Society,  Harvard  Law  School 

To  register  and  for 
more  information 

call  800.366.0246  or  visit 
www.csoonline.com/conferences 


FIELD-TESTED  IDEAS  FROM  CIOs  FOR  CIOs 


How  to  Operate  24/7 
Without  Losing  Your  Mind 

As  the  CIO  of  MetLife  has  discovered,  it  is  possible  to  transform  technology  from 
a  leash  into  an  agent  of  liberation  by  steve  sheinheit 


I  can’t  believe  that  12  years  have  passed  since  that  cold  win¬ 
ter  day  when  my  wife  and  I  accompanied  my  teenage 
daughter  on  a  campus  tour  of  the  University  of  Michi¬ 
gan.  This  was  before  the  Internet,  before  cell  phones  and 
BlackBerrys,  when  I  still  believed  in  my  ability  to  balance  my 
work  and  personal  life.  I  remember  how  quickly  the  balance 
shifted  that  day.  Back  at  the  office,  we  were  beginning  a  mega¬ 
merger.  I  could  ill  afford  to  be  out  of  touch  for  too  long,  so  I  made 
an  early  morning  call  from  a  phone  booth  in  the  student  union. 
You  guessed  it— -I  told  my  wife  and  daughter  to  go  on  without  me, 
and  I  spent  the  next  several  hours  in  the  phone  booth.  Later,  I 
scoured  the  campus.  Luckily,  I  found  the  tour,  but  the  damage  had 
been  done. 

This  incident  occurred  shortly  before  the  technology-induced 
blurring  of  work  and  personal  life  that  has  been  written  about 
so  much  of  late.  I  thought  of  it  recently  when  I  was  walking 
with  my  wife  down  a  beautiful  street  in  Carmel,  Calif.  She  was 
on  the  cell  phone  talking  to  one  of  our  children;  I  was  engaged 
with  my  BlackBerry.  Over  the  phone,  with  only  a  hint  of  sarcasm, 
my  wife  told  my  daughter,  “Dad,  the  BlackBerry  and  I  are  hav¬ 
ing  a  great  time.”  We  were  enjoying  Carmel,  and  at  the  same  time, 
we  were  able  to  plug  into  other  concerns  a  continent  away.  We 
were  truly  connected  and  mobile— a  very  different  experience 
from  the  one  we’d  had  on  that  cold  winter  day  in  Michigan. 

You  might  ask  the  question,  of  course:  Was  I  leashed  or  lib¬ 
erated?  At  the  CIO  level,  and  for  anyone  whose  job  regularly 
extends  beyond  the  boundaries  of  the  traditional  workday,  the 
line  between  “work”  and  “play”  has  always  been  somewhat 
permeable.  Long  before  IT  extended  the  workplace,  people 
stayed  late  at  the  office,  came  into  the  office  on  weekends  and 


MARCH  15,  2005  |  www.cio.com 


ILLUSTRATION  BY  POL  TURGEON 


Middleware  is  Everywhere 


MIDDLEWARE  IS  IBM  SOFTWARE.  Powerful  WebSphere 
software.  It’s  the  strong,  seamless  bond  that  can  unite  your 
business, vendors,  partners  and  customers.  A  dynamic  link 
designed  to  make  your  entire  organization  more  efficient. 
More  responsive.  More  flexible.  On  demand.  WebSphere 
connects  processes,  with  open  standards.  And  it’s  easy 
to  manage,  too.  So  all  involved  get  a  better  night’s  sleep. 


1.  Guest  checked  in  wirelessly. 

2.  Staff  queries  guest  preferences. 

3.  Vendor  services  integrate  seamlessly. 

4.  Supplies  are  procured  automatically. 

5.  Repeat  customers  increase  profits. 


Middleware  for  the  on  demand  world.  Learn  more  at  ibm.com/middleware/process  B3 


DEMAND  BUSINESS 


WebSphere 


IBM.  the  IBM  logo.  WebSphere  and  the  On  Demand  ldg< 
States  and/or  other  countries  2004  IBM  Corporation? 


peer  to  PGer  FIELD-TESTED  IDEAS  FROM  CIOs  FOR  CIOs 


; 


\ 


: 


I 

\ 

: 


lugged  a  briefcase  home  at  night.  Have  you  actually  ever  met 
a  CIO  who  was  not  continuously  caught  up  in  the  pressures 
and  complexity  of  the  job? 

Even  so,  technology  forces  are  working  to  up  the  ante.  Only 
a  short  time  ago,  some  things  had  to  wait  until  you  returned  to 
the  office.  But  as  electronic  devices  have  shrunk  in  size  and 
weight,  and  networks  have  expanded  their  bandwidth  and 
reach,  it’s  difficult  to  resist  entering  the  “blur”  where  business 
can  be  conducted  anytime,  anywhere,  no  matter.  The  shift  from 
“atoms  to  bits”— from  books  and  hard-copy  reports  to  elec¬ 
tronic  media— enables  work  to  follow  you  wherever  you  are.  As 
predicted  by  Moore’s  Law,  the  chips  that  power  technology  are 


everywhere— in  your  home  and  car,  on  your  wrist  or  in  your 
pocket.  And  with  wireless  communication,  you  can— and  are 
expected  to— always  be  “on.” 

From  Leash  to  Liberator 

No  wonder  I’ve  occasionally  found  myself  wondering  whether 
there  is  time  left  to  think.  Time  has  become  our  most  precious 
resource.  Time  is  fixed;  it’s  not  expandable,  reproducible  or 
reusable.  It  seems  to  slip  away  as  the  pace  of  demands  acceler¬ 
ates.  For  the  CIO,  work  has  expanded  to  fill  the  time  available. 
Like  the  systems  we  build  and  support,  we  operate  24/7  in 
real-time.  Properly  utilized,  technology  can  enable  us  to  man¬ 
age  more  effectively  in  the  blur,  enhancing  productivity  in 
work  and  quality  in  life.  In  fact,  I  believe  it’s  possible  to  turn 
technology  from  leash  to  agent  of  liberation.  Here  are  a  few  of 
the  strategies  that  are  helping  me: 

Manage  your  work  life  according  to  your  own  needs.  During 
the  week,  I  routinely  stay  in  the  office  late,  a  habit  developed 
over  years  of  adapting  to  a  lengthy  commute.  On  the  week¬ 
ends,  my  focus  shifts  to  my  family.  This  has  been  the  pattern 
throughout  my  career.  One  of  my  direct  reports,  on  the  other 
hand,  usually  goes  home  early  enough  to  have  dinner  with  his 
children.  Technology  enables  him  to  stay  connected  and  work 
after  they’ve  gone  to  bed.  I  often  wonder:  If  I  had  had  the  advan¬ 
tage  of  today’s  technology  when  my  children  were  growing  up, 
would  I  have  made  different  choices? 

Multitask  if  you  have  to.  All  too  often,  I  have  missed  a  per¬ 
sonal  appointment  to  finish  up  at  the  office.  But  this  past  Sep¬ 
tember,  I  blocked  out  time  to  meet  my  wife  at  the  women’s 
semifinal  matches  of  the  U.S.  Open.  I  had  looked  forward  to  the 
matches  all  week.  But,  as  frequently  happens,  the  challenges  of 
the  day  were  closing  in  on  me— unfinished  business,  pending 
decisions  and  a  few  unforeseen  problems.  Nevertheless,  off  I 


went,  BlackBerry  with  integrated  cell  phone  in  hand.  I  was 
where  I  wanted  to  be,  and  I  found  I  could  manage  business 
and  pleasure  concurrently. 

Turn  the  Damn  Thing  Off 

It’s  OK  to  turn  off  the  BlackBerry.. .sometimes.  I  was  speaking 
about  technology’s  effect  on  work  and  life  at  a  recent  meeting 
with  one  of  my  IT  groups.  I  was  asked,  “Do  you  mean  it’s 
OK  for  me  to  put  off  responding  to  a  message  from  my  boss  to 
finish  what  I’m  doing?”  “Well,  of  course,”  I  responded.  “But 
you  have  to  decide  based  upon  what  you  judge  is  most  impor¬ 
tant  at  that  time.”  There  is  a  fine  line  between  effective  multi¬ 
tasking  and  rudeness.  Quality  can  suffer 
and  productivity  is  lost  when  thinking  is 
constantly  interrupted.  For  these  reasons,  at 
the  start  of  some  meetings  I  ask  that  all  elec¬ 
tronic  devices  be  turned  off  and  that  inter¬ 
ruptions  be  only  for  emergencies. 

There’s  a  time  for  everything.  I  have 
found  that  there  is  a  huge  productivity  gain  in  dealing  with 
things  in  my  own  time.  Today,  more  than  ever  before,  we  are 
inundated  with  communications  from  many  sources.  The  key 
to  surviving  is  to  deal  with  most  of  them  asynchronously.  For 
this  reason,  I’ve  never  used  a  pager,  and  I  usually  keep  my  cell 
phone  off.  The  power  of  e-mail  is  that  it  allows  you  to  respond 
and  communicate  at  your  own  pace.  Most  important,  I  am 
always  within  reach. 

At  an  all-day  meeting  in  Mexico,  I  received  an  e-mail  from  my 
office  about  scheduling  a  time-critical  conversation  with  an 
executive  of  one  of  our  business  partners.  He  was  traveling  in 
Asia.  Via  e-mail,  we  were  able  to  set  an  agenda  and  schedule  the 
exact  time  for  a  phone  call  while  staying  focused  on  our  respec¬ 
tive  business  concerns. 

In  the  end,  managing  in  the  blur  means  keeping  pace  with  the 
acceleration  so  that  both  work  and  life  remain  in  focus.  If  you 
do  this  well,  both  will  be  simultaneously  enriched.  For  instance, 
today  I  can  go  away  on  vacation  knowing  that  I  can  keep  up-to- 
date  with  minimal  effort,  my  absence  won’t  impede  work,  and 

1  can  return  ready  to  start  on  the  next  day’s  agenda. 

As  it  turns  out,  I  find  that  I  actually  do  spend  a  lot  of  time 
thinking— on  the  train,  at  the  office  late  in  the  day,  en  route 
during  my  frequent  business  trips.  One  thing  that  helps  is  that 
information  and  communication  are  at  my  fingertips.  In  fact,  it’s 
surprising  how  easy  it  is  to  find  time  for  reflection,  once  you  give 
up  trying  to  maintain  a  separation  between  work  and  life  and 
start  managing  in  the  blur.  HE! 

Steve  Sheinheit  is  CTO  of  MetLife  in  New  York  City. 

He  enjoys  sending  and  responding  to  e-mails  at 

2  a.m.  to  make  sure  his  staff  stays  on  their  toes. 

Please  send  your  feedback  to  Executive  Editor  Alison 
Bass  at  abass@cio.com. 


There  is  a  fine  line  between  effective 
multitasking  and  rudeness.  At  the  start 
of  some  meetings  I  ask  that  all  electronic 
devices  be  turned  off. 


4  6 


MARCH  15,  2  005  |  www.cio.com 


COMPLIANCE  ISSUES? 

Today’s  regulatory  environment  doesn’t  leave  much  wiggle  room.  VERITAS  can  help  make  your  compliance  practices 
much  more  manageable.  99%  of  the  FORTUNE  500®  already  rely  on  VERITAS.  Software  for  Utility  Computing,  veritas.com 


VERiTAS™ 


©  2005  VERITAS  Software  Corporation.  All  rights  reserved.  VERITAS  and  the  VERITAS  Logo  are  trademarks  or  registered  trademarks  of  VERITAS  Software  Corporation 

or  its  affiliates  in  the  U.S.  and  other  countries.  Other  names  may  he  trademarks  of  their  respective  owners. 


Cover  Story 


The  Brain  Behind 


and  Other  Tales  of 
Business  Intelligence 


Reader  ROI 

::  Restaurant  chains  buck 
the  trend  and  use  business 
intelligence  effectively 

::  How  to  use  Bl  to 
troubleshoot  problems 
and  highlight  opportunities 

::  Why  Bl  systems  are  only  as 
good  as  the  data  they  rely  on 


Business  intelligence  systems  have,  for  the 
most  part,  been  dreary  failures.  But  not  in  the 
restaurant  industry.  There,  the  payoffs  have 
been  significant.  So  what  have  you  been 
doing  wrong?  And  what  are  they  doing  righ* 


T'S  BEEN  CALLED  "THE  FAST  FOOD 

equivalent  of  a  snuff  film"  by  one  health  and  nutri¬ 
tion  advocacy  group.  Jay  Leno  made  cracks  about 
it  on  The  Tonight  Show.  Even  The  New  York  Times 
devoted  an  editorial  to  its  excesses. 

The  Monster  Thickburger,  the  latest  piece  de 
resistance  from  burger  joint  Hardee's,  consists  of: 

>  Two  charbroiled  certified  Angus  beef  patties, 
each  weighing  in  at  a  third  of  a  pound 

>  Three  slices  of  American  cheese 

>  Four  crispy  strips  of  bacon 

It's  topped  with  a  dollop  of  mayonnaise  that  oozes 
from  a  toasted  buttery  sesame  seed  bun. 

The  Monster  Thickburger  tips  the  scales  at  a 
whopping  1,420  calories  and  an  artery-clog¬ 
ging  107  grams  of  fat.  It  quite  possibly  is  the 
most  fattening  mass-produced  burger  on  the 
planet,  and  it's  selling  like  gangbusters, 
according  to  Jeff  Ghasney,  CIO  and  executive 


vice  president  of  strategic  planning  at  CKE 
Restaurants,  the  company  that  owns  and 
operates  Hardee’s. 

You’d  think  that  CKE  would  have  thought 
twice  about  rolling  out  such  an  over-the-top 
concoction  in  the  midst  of  a  national  obses¬ 
sion  with  the  growing  epidemic  of  obesity. 
But  CKE  was  able  to  introduce  the  Monster 
Thickburger  nationwide  on  Nov.  15,  2004, 
with  such  confidence  (if  not  impudence)  that 
the  public  would  receive  it  with  open 
mouths  because  of  the  insights  the  company 
obtained  from  its  business  intelligence  (BI) 
system.  BI  refers  to  a  variety  of  software 
applications  that  analyze  an  organization’s 
raw  data  and  extract  useful  insights  from  it. 
BI  as  a  discipline  is  made  up  of  many  related 
activities,  including  data  mining,  online  ana¬ 
lytical  processing,  querying  and  reporting. 

CKE  used  its  BI  system,  known  ironically 
inside  the  company  as  CPR  (CKE  Perfor¬ 
mance  Reporting),  to  monitor  the  perform¬ 
ance  of  its  big,  bad  burger  in  test  markets. 
Specifically,  CKE  used  BI  to  see  if  the  ham¬ 
burger  was  actually  contributing  to  in¬ 
creases  in  sales  at  restaurants  or  if  it  was 
just  cannibalizing  sales  of  other,  lesser 
burgers.  The  company  wanted  to  evaluate 
whether  the  increases  in  sales  from  the 
burger  were  worth  the  cost  to  produce  it. 
CKE  used  its  BI  software  to  study  a  variety 


of  factors— such  as  menu  mixes,  the  cost  to 
produce  a  Monster  Thickburger,  average 
unit  volumes  for  the  Thickburger  compared 
with  other  burgers,  gross  profits  and  total 
sales  for  each  of  the  test  stores,  and  the  con¬ 
tribution  that  each  menu  item  (including  the 
Monster  Thickburger)  made  to  total  sales. 
Because  the  Monster  Thickburger  exceeded 
expectations  in  test  markets,  the  company 
decided  to  roll  it  out  nationwide  and  to 
devote  around  $7  million  in  advertising  to 
promoting  it.  CPR  gave  CKE  the  confidence 
it  needed  to  introduce  such  a  burger  and  to 
know  that  the  advertising  dollars  behind  it 
wouldn’t  be  a  waste. 

And,  in  fact,  it’s  been  a  resounding  suc¬ 
cess;  sales  of  the  burger  bomb  continued  to 
exceed  expectations  in  December  2004. 
Sales  at  Hardee’s  stores  that  have  been  open 
at  least  a  year  were  up  5.8  percent  for  Decem¬ 
ber,  and  “the  Monster  Thickburger  was 
directly  responsible  for  a  good  deal  of  that 
increase,”  says  Brad  Haley,  Hardee’s  execu¬ 
tive  vice  president  of  marketing. 

Smart  Food 

Restaurant  chains  such  as  Hardee’s, 
Wendy’s,  Ruby  Tuesday,  T.G.I.  Friday’s  and 
others  are  heavy  users  of  BI  software.  Many 
of  the  big  chains  have  been  using  BI  for  the 


past  10  years,  according  to  Chris  Hartmann, 
managing  director  of  technology  strategies 
at  HVS  International,  a  restaurant  and  hos¬ 
pitality  consultancy.  They  use  BI  to  make 
strategic  decisions,  such  as  what  new  prod¬ 
ucts  to  add  to  their  menus,  which  dishes  to 
remove  and  which  underperforming  stores 
to  close.  They  also  use  BI  for  tactical  matters 
like  renegotiating  contracts  with  food  sup¬ 
pliers  and  identifying  opportunities  to 
improve  inefficient  processes. 

Because  restaurant  chains  are  so  opera- 
tions-driven,  and  because  BI  is  so  central  to 
helping  them  run  their  businesses,  they  are 
among  the  elite  group  of  companies  across 
all  industries  that  are  actually  getting  real 
value  from  these  systems.  Want  proof? 

Carlson  Restaurants  Worldwide,  the  pri¬ 
vately  held  company  that  operates  T.G.I.  Fri¬ 
day’s  and  Pick  Up  Stix  restaurants,  saved 
$200,000  in  2003  by  renegotiating  con¬ 
tracts  with  food  suppliers  based  on  discrep¬ 
ancies  between  contract  prices  and  the 
prices  suppliers  were  actually  charging 
restaurants.  Carlson’s  BI  system,  which  at 
the  time  was  from  Cognos,  had  identified 
these  discrepancies. 

Ruby  Tuesday’s  profits  and  revenue  have 
grown  by  at  least  20  percent  each  year  as  a 
result  of  the  improvements  the  chain  has 
made  to  its  menu  and  operations  based  on 
insights  provided  by  its  BI  infrastructure, 
which  consists  of  an  Oracle  data  warehouse, 
analytical  tools  from  Cognos  and  Hyperion, 
and  reporting  tools  from  Microsoft. 

CPR  helped  CKE,  which  was  on  the  brink 
of  bankruptcy  five  years  ago,  increase  sales 
at  restaurants  open  more  than  a  year,  nar¬ 
row  its  overall  losses  and  even  turn  a  profit 
in  2003.  A  homegrown  proprietary  system, 
CPR  consists  of  a  Microsoft  SQL  server  data¬ 
base  and  uses  Microsoft  development  tools 
to  parse  and  display  analytical  information. 

In  June  2003,  Wendy’s  decided  to  accept 
credit  cards  in  its  restaurants  based  on  infor¬ 
mation  it  got  from  its  BI  systems,  which 
include  IBM  DB2  OLAP  software,  IBM  and 
Compaq  servers,  databases  from  Hyperion 
and  Oracle,  Cognos  Powerplay  tools,  and 
software  from  Crystal  Decisions  and  Arc- 
plan.  Because  of  that  decision,  Wendy’s 
restaurants  have  boosted  sales;  customers 
who  use  a  credit  card  spend  an  average  of 
35  percent  more  per  order  than  those  who 


50 


MARCH  15,  2005  |  www.cio.com 


PHOTO  BY  STEVEN  VOTE 


Cover  Story  Business  Intelligence 


use  cash,  according  to  Wendy’s  executive 
vice  president  and  CIO  John  Deane. 

These  restaurant  chains’  successes  are 
unusual  considering  the  indigestion  compa¬ 
nies  in  other  industries  have  gotten  from 
their  BI  initiatives.  “Most  BI  implementa¬ 
tions  fall  below  the  midpoint  on  the  scale  of 
success,”  says  Ted  Friedman,  an  analyst  with 
Gartner.  Restaurant  chains  use  BI  effectively 
and  realize  value  from  it  for  a  variety  of  rea¬ 
sons,  and  other  industries  would  do  well  to 
pay  more  attention  to  restaurant  chains, 
according  to  Hartmann.  Because  their  indus¬ 
try  is  so  competitive,  they  have  to  be  agile,  so 
their  cultures  are  accustomed  to  rapid 
change.  Also,  their  BI  initiatives  are  closely 
aligned  with  their  business  strategies,  and 
the  insights  that  their  BI  systems  produce 
contribute  to  improving  operations  and  the 
bottom  line.  Finally,  they’ve  found  ways  to 
address  three  of  the  biggest  barriers  to  BI 
success:  having  to  winnow  through  volumi¬ 
nous  amounts  of  irrelevant  data,  poor  data 
quality  and  user  resistance. 

“If  you’re  just  presenting  information 


that’s  neat  and  nice  but  doesn’t  evoke  a  deci¬ 
sion  or  impart  important  knowledge,  then 
it’s  noise,”  says  CKE’s  Chasney.  “You  have  to 
focus  on  what  are  the  really  important 
things  going  on  in  your  business,”  he  says. 

At  Ruby  Tuesday— as  at  most  restaurants 
and,  indeed,  in  most  companies— sales, 
products  and  service  are  the  most  impor¬ 
tant  levers  in  its  business.  So,  in  August 
2003,  when  the  chain’s  BI  system  identified 
a  restaurant  in  Knoxville,  Tenn.,  that  was 
underperforming,  it  used  the  very  same  sys¬ 
tem  to  drill  down  into  that  store’s  specific 
problems  in  an  effort  to  help  the  company 
determine  what  corrective  actions  to  take. 

The  company’s  BI  software  indicated  that 
customers  were  waiting  longer  than  nor¬ 
mal  for  tables  and  for  their  orders  once  they 
were  seated.  It  was  a  recipe  for  customer 
dissatisfaction,  and  of  course  poor  sales. 
Management  at  corporate  headquarters 
wanted  to  know  what  specifically  was 
wrong.  Was  the  restaurant  not  adequately 
staffed?  Was  the  problem  with  the  kitchen 
staff,  a  server,  an  assistant  manager,  a  gen¬ 


eral  manager— or  with  something  beyond 
the  company’s  control,  like  the  location? 

Managers  used  BI  tools  to  study  food 
costs.  High  food  costs  might  have  indicated 
inadequately  trained  cooks  who  were  ruin¬ 
ing  a  lot  of  food  before  getting  dishes  right, 
which  would  have  contributed  to  increased 
wait  times.  But  food  costs  were  normal. 

Managers  then  assessed  the  time  it  took 
for  a  table  to  change  hands  from  one  patron 
to  the  next,  using  the  BI  system  to  calculate 
the  time  between  when  a  waitstaffer  opened 
a  check  on  the  point  of  sale  to  the  time  the 
customer  paid  the  tab.  Nick  Ibrahim,  senior 
vice  president  and  CIO  of  Ruby  Tuesday, 
says  the  average  time  it  takes  a  restaurant  to 
turn  over  a  table  from  one  customer  to  the 
next  is  45  minutes.  So  if  the  company  sees  in 
its  BI  system  that  it  takes  55  to  60  minutes  to 
close  a  check  at  a  particular  restaurant,  peo¬ 
ple  aren’t  getting  their  food  as  fast  as  they 
should.  (The  problem  is  rarely  a  matter  of 
diners  lingering  over  their  meals,  especially 
if  it’s  taking  the  waitstaff  at  every  table 
55  minutes  to  close  the  check.)  Management 


AT  RUBY  TUESDAY,  CIO  Nick  Ibrahim  used  a  business  intelligence  system  to  troubleshoot  issues  at  an  underperforming  restaurant. 
His  discovery:  Sluggish  table  turnover  was  taking  a  bite  out  of  business.  His  solution:  Reengineer  the  kitchen. 


WHEN  YOU  STEPPED  AWAY 
FROM  YOUR  DESK,  A  WORM  WAS 
DETECTED,  QUARANTINED  AND 
ELIMINATED  BEFORE  ANYONE 
NOTICED  YOU  WERE  GONE. 


Cisco,  Cisco  Systems,  the  Cisco  Systems  logo  are  registered  trademarks  or  trademarks  of  Cisco  Systems,  Inc,  and/or  its  affiliates  in  the  US  and  certain  other  countries.  ©2004  Trend  Micro  Incorporated. 

All  rights  reserved.  Trend  Micro  and  the  t-ball  logo  are  trademarks  or  registered  trademarks  of  Trend  Micro  Incorporated.  All  other  company  and/or  product  names  may  be  trademarks  or  registered  trademarks  of  their  owners. 


Trend  Micro  and  Cisco  Systems —  working  together. 

Imagine  a  network  solution  so  advanced,  so  secure,  so  ingeniously  proactive, 

you  may  never  have  to  worry  about  an  outbreak  again. 

Find  out  more  at  www.trendmicro.com/cisco 


Cover  Story  Business  Intelligence 


concluded  based  on  this  information  and  by 
visiting  the  restaurant  that  the  long  wait 
times  were  a  result  of  increased  demand. 
The  area  had  been  through  an  economic 
boom,  and  the  restaurant  was  running  at 
full  capacity.  The  company  made  changes  to 
the  layout  of  the  kitchen,  the  placement  of 
food  and  the  location  of  cooks  so  that  every¬ 
one  had  easy  access  to  the  food  and  equip¬ 
ment  they  needed  to  produce  dishes  faster, 
to  move  more  customers  through  the  restau¬ 
rant  and  ultimately  to  increase  sales.  The 
changes  increased  the  rate  at  which  tables 
were  turned  by  10  percent,  which  in  turn 
decreased  wait  times  for  customers. 

Insights  Are  the  Meat; 

Data  Is  the  Relish 

The  problem  with  so  many  BI  tools,  says 
Chasney,  is  that  they’re  no  different  from 
the  standard  corporate  reporting  tools  that 
have  been  around  for  years,  which  churn 
out  old  data  like  curdled  butter  and  don’t 


provide  information  that  executives  can 
chew  on.  If  companies  really  want  to  get 
value  from  BI,  he  says,  they  need  a  system 
that  provides  them  with  insights,  not  just 
mountains  of  data.  “There’s  nothing  worse, 
in  my  opinion,  than  a  business  intelligence 
system  that  reports  changes  on  a  weekly 
basis,”  he  says,  because  those  systems  don’t 
provide  any  context  as  to  what  factors  are 
influencing  those  changes.  Without  that 
context,  you  don’t  know  whether  the  data 
is  good  or  bad;  it’s  just  useless. 

When  charting  a  course  for  BI,  Chasney 
advises  companies  to  first  analyze  the  way 
they  make  decisions  and  to  consider  the 
information  that  executives  need  to  facili¬ 
tate  more  confident  and  more  rapid  decision 
making,  as  well  as  how  they’d  like  that  infor¬ 
mation  presented  to  them  (for  example,  as  a 
report,  a  chart,  online,  hard  copy).  Discus¬ 
sions  of  decision  making  will  drive  what 
information  companies  need  to  collect,  ana¬ 
lyze  and  publish  in  their  BI  systems. 

When  Chasney  started  building  CPR  in 


2000,  he  asked  the  company’s  CEO  and  the 
chief  operating  officers  of  CKE’s  three  restau¬ 
rant  chains— Hardee’s,  Carl’s  Jr.  and  La  Salsa 
Fresh  Mexican  Grill— what  information  is 
most  important  in  their  efforts  to  run  the 
company.  The  CEO  wanted  to  know  what 
caused  changes  in  sales.  The  COOs  wanted 
something  that  would  indicate  business 
opportunities  they  could  pursue  as  well  as 
clear  indicators  as  to  which  restaurants  were 
underperforming.  The  discussions  taught 
Chasney  that  BI  systems  need  to  focus  on  a 
company’s  most  important  performance 
indicators— including  sales  and  cost  of  sales; 
exceptions,  such  as  those  areas  of  the  busi¬ 
ness  that  are  outperforming  or  underper¬ 
forming  other  segments;  and  historical  and 
forward-looking  business  trends— if  they’re 
to  provide  the  company  with  any  value. 

Good  BI  systems  also  need  to  give  context. 
It’s  not  enough  that  they  report  sales  were  X 
yesterday  and  Y  a  year  ago  that  same  day, 
says  Chasney.  They  need  to  explain  what  fac¬ 
tors  influencing  the  business  caused  sales  to 


\ 


WENDY'S  CIO  JOHN  DEANE  says  his  BI  system  found  that  customers 
using  credit  cards  spend  35  percent  more  per  order  than  those  who  pay  cash 


The  Value  of  Plastic 

CREDIT  CARDS:  To  accept  them  at  Wendy's  restau¬ 
rants  or  not  to  accept  them?  That  was  the  question 
facing  executives  in  early  2003.  Sure,  customers 
would  appreciate  the  convenience  of  being  able  to 
pull  out  the  plastic  when  they  were  short  on  cash  to 
purchase  a  value  meal,  but  would  such  an  option  be 
a  losing  proposition?  Executives  decided  to  test  the 
impact  that  credit  cards  would  have  on  sales  by 
accepting  them  in  select  stores.  The  company  used 
its  business  intelligence  system  to  determine  how  a 
credit  card  purchase  affects  sales  and  speed  of  serv¬ 
ice,  and  to  measure  the  amount  of  cannibalization 
from  credit  cards— in  other  words,  the  number  of 
transactions  that  would  have  been  in  cash  but  that 
are  now  on  credit  because  it’s  an  available  option. 

To  their  surprise,  executives  learned  that  people  who 
use  credit  cards  spend  more  and  buy  more  than  they 
would  if  they  were  using  cash.  People  who  pay  cash 
tend  to  buy  value  meals,  which,  while  good  for  con¬ 
sumers’  pockets,  are  less  profitable  for  Wendy's.  By 
contrast,  consumers  who  pay  with  plastic  tend  to 
order  a  la  carte,  which  tallies  up  to  a  larger  tab. 
Indeed,  the  average  check  paid  for  by  credit  card  was 
35  percent  higher  than  checks  paid  for  in  cash.  With 
sales  numbers  like  that,  Wendy's  introduced  credit 
card  readers  nationally  in  June  2003.  -M.L. 


PHOTO  BY  STEVEN  VOTE 


For  just  pennies  a  page,  the  versatile 
Xerox  WorkCentre*  Pro  2128  delivers  rich  1200  x  1200  dpi 
color  prints,  plus  advanced  multi-function  performance. 
Xerox  olor.  It  makes  business  sense. 


The  remarkable  Xerox  WorkCentre  Pro  2128 
gives  you  an  affordable  way  to  add  brilliant  color 
and  an  impressive  set  of  valuable  features  to  any 
office.  This  advanced  digital  system  can  print, 
copy,  scan,  e-mail  or  fax  simultaneously,  even 
when  other  jobs  are  running.  It  also  scans  hard 
copy  directly  to  e-mail,  improving  productivity. 


*» 

i 

Print  Copy  Scan  Fax  E-mail 


Xerox  WorkCentre  Pro  2128 


Walk-up  simplicity  means  easy  access  to  razor 
sharp  28  ppm  black-and-white  and  21  ppm  quality 
color  documents.  And  it  consolidates  all  these 
functions  without  compromising  reliability.  To 
learn  more,  see  our  full  line  of  multi  function 
systems,  digital  copiers  and  award-winning  color 
printers.  It  makes  perfect  sense  for  any  business. 

XEROX 


xerox.com/office/24  |  Technology  |  Document  Management  |  Consulting  Services 

1-800- ASK-XEROX  ext.  24 


©  2005  XEROX  CORPORATION  All  rights  reserved  XEROX*  WorkCentre*  and  Xerox  Color.  It  makes  business  sense  are  trademarks  of  XEROX  CORPORATION  in  the  United  States  and/or  other  countries 


Cover  Story  Business  Intelligence 


be  X  one  day  and  Y  on  the  same  date  the  pre¬ 
vious  year.  CPR  uses  econometric  models, 
which  the  company  reviews  and  refines  each 
month,  to  provide  context  and  to  explain  per¬ 
formance.  The  econometric  models  take  into 
consideration  44  factors,  including  the 
weather,  holidays,  coupon  activity,  discount¬ 
ing,  free  giveaways  and  new  products.  If  the 
CEO  wants  to  find  out  why  sales  were  down 
on  any  given  day  at  Hardee’s,  all  he  has  to  do 
is  click  the  “explain”  button  on  his  computer 
screen,  and  the  model  performs  its  magic. 
The  CEO  will  see,  for  example,  that  5  percent 
of  the  8  percent  decrease  was  due  to  torren¬ 
tial  rain  in  the  Northeast  and  2  percent  was 
due  to  free  giveaways. 

“If  your  business  intelligence  system  is 
not  going  to  improve  your  decision  making 
and  find  problem  areas  to  correct  and  new 
directions  to  take,  nobody’s  going  to  bother 
to  look  at  it,”  says  Chasney. 


they’re  going  to  do  with  data  once  they  get  it, 
practices  for  preventing  redundant  data  and 
methods  for  organizing  it  in  a  way  that 
makes  sense  to  the  business.  For  instance, 
Ruby  Tuesday  organizes  its  data  around 
three  categories— sales,  labor  and  food 
costs— that  happen  to  be  the  key  drivers  of 
its  business.  Those  three  categories  are 
tracked  in  an  Oracle  database  and  put  into 
separate  table  spaces  for  ease  of  reporting 
and  processing,  Ibrahim  says.  That  way, 
information  on  what  products  are  selling 
does  not  get  mixed  up  with  information  on 
labor  and  vice  versa. 

Knowing  that  the  key  to  using  informa¬ 
tion  to  improve  decision  making  is  ensur¬ 
ing  that  the  transactional  data  collected  at 
the  point  of  sale  is  consistent  and  accurate, 
Ibrahim  standardized  all  of  the  company’s 
restaurants  (700  at  the  time),  including 
those  run  by  franchisees,  on  a  common 


Mayo,  rather  than  having  to  sift  through 
mountains  of  data  to  get  the  answer. 

Unfortunately,  few  companies  have  the 
luxury  of  replacing  disparate  technology 
with  common  systems  across  all  of  their 
units.  Wendy’s  is  a  case  in  point.  While  all 
1,500  of  the  company-owned  restaurants 
use  the  same  technology,  approximately 
5,000  franchises  don’t.  The  sales  data  that 
franchises  send  to  corporate  headquarters 
looks  different  from  the  data  that  company- 
owned  stores  submit  because  franchise  data 
is  reported  on  a  weekly  basis  at  an  aggregate 
level.  By  contrast,  more  granular  transac¬ 
tional  data  collected  directly  from  the  point- 
of-sale  systems  of  company-owned  stores  is 
sent  to  corporate  headquarters  on  a  daily 
basis.  As  a  result  of  those  differences, 
Wendy’s  corporate  doesn’t  have  the  highest 
possible  level  of  visibility  into  its  franchise 
operations. 


BI  tools:  They  churn  out  old 
don't  provide  information  th 


Start  with  the  Freshest 
Ingredients 

The  key  to  getting  accurate  insights  from  BI 
systems  is  standard  data.  “Data  quality 
remains  a  very  overlooked  issue  in  business 
intelligence,  but  a  massive  one,”  says  Gart¬ 
ner’s  Friedman.  “I  continue  to  see  failures 
due  to  a  lack  of  attention  to  data  quality.” 
Data  is  the  most  fundamental  component  of 
any  BI  endeavor.  It’s  the  building  blocks  for 
insight.  Companies  have  to  get  their  data 
stores  and  data  warehouses  in  good  working 
order  before  they  can  begin  extracting  and 
acting  on  insights.  If  not,  they’ll  be  operating 
based  on  flawed  information. 

Ruby  Tuesday’s  Ibrahim  advises  compa¬ 
nies  to  develop  plans  that  outline  what 


technology  platform  in  2001.  He  also  moved 
the  company  onto  a  Microsoft  SQL  server 
and  open-architecture  databases  from  Ora¬ 
cle  and  Sybase,  which  makes  it  easier  for 
business  analysts  to  get  to  the  data  they 
need.  The  open  architecture  lets  analysts 
run  specific  queries  against  databases  when 
they’re  looking  to  find  out,  say,  how  many 
margaritas  the  company  sold  on  Cinco  de 


More  Intelligence 


Online  exclusives  with  this  article  include  a 
look  at  HOW  BI  UNCOVERS  RIP-OFFS  at  Carl¬ 
son  Restaurants,  as  well  as  BI  SCREENSHOTS 
from  Ruby  Tuesday’s  reporting  system.  Find 
them  linked  to  the  online  version  of  this  story 
or  at  www.cio.com/031505.  rm  rnir 


Wendy’s  Deane  acknowledges  that  this 
less-than-ideal  environment  for  BI  creates 
problems  for  the  company  when  it  needs  to 
compare  aggregated  sales  information  from 
franchises  with  transactional  data  from 
company-owned  stores— it’s  a  hamburgers 
to  cheeseburgers  comparison.  He  says  the 
company  needs  to  increasingly  make  these 
comparisons  as  it  looks  to  expand  the  pool  of 
stores  it  uses  for  product  testing  and  as  it 
attempts  to  improve  supply  chain  integra¬ 
tion.  To  compensate  for  their  suboptimal 
data  collection  environment,  Deane  is  using 
an  XML  standard  to  collect  more  detailed 
information  from  franchisees  who  operate  a 
large  number  of  stores.  (For  smaller  fran¬ 
chises,  Wendy’s  uses  a  Web-based  data 


56  MARCH  1.5,  2005  |  www.cio.com 


Who  was  selected  as  best  in  Bl? 

Siebel  Business  Analytics 
Best  Business  Intelligence  Application 
2004  RealWare®  Award  Winner 


Siebel  Business  Analytics  received  the  most  prestigious  Bl  award  because  unlike 
traditional  Bl  vendors,  Siebel  meets  the  new  business  demands  of  enterprise  Bl. 
Siebel  delivers  richer,  real-time  intelligence  for  everyone  across  your  enterprise. 
Working  seamlessly  with  your  existing  systems  and  data  warehouses,  Siebel’s  mission- 
critical  Bl  architecture  supports  multi-terabytes  of  data  and  thousands  of  users. 
And  Siebel's  pre-built  solutions  embed  industry-specific  best  practices  that  are 
flexible,  quickly  implemented,  and  deliver  low  TCO. 

To  learn  more,  visit  www.siebel.com/realware 


Business  Analytics 


©2005  Siebel  Systems.  Inc.  All  rights  reserved  Siebel  and  the  Siebel  logo  are  trademarks  of  Siebel  Systems.  Inc.  and  may  be  registered  in  certain  jurisdictior 
RealWare  is  a  registered  trademark  of  Intelligent  Enterprise. 


Cover  Story  Business  Intelligence 


collection  system.)  He  also  uses  heuristics, 
or  rules  of  thumb,  based  on  activity  at 
company-owned  stores  to  extrapolate 
meaning  from  the  aggregate  data  that  fran¬ 
chises  provide.  For  example,  if  a  franchise- 
owned  store  does  $30,000  worth  of 
business  in  a  week,  Wendy’s  corporate  can 
make  assumptions  as  to  how  that  $30,000 
would  break  down  into  sales  of  french  fries, 
baked  potatoes,  hamburgers,  chicken  sand¬ 
wiches  and  the  like  based  on  sales  from 
company-owned  stores  in  similar  markets 
with  similar  aggregate  sales  histories.  Prox¬ 
ies  such  as  these  may  not  be  perfect,  but 
they  are  a  practical  workaround  and  can  be 
modified  as  needed  to  accommodate  further 
integration  with  other  systems,  like  the 
point  of  sale.  Wendy’s  has  no  plans  to  get 
its  franchises  on  standard  technology 
because  it  sees  its  franchisees  as  entrepre¬ 
neurs  capable  of  making  their  own  deci¬ 
sions  about  their  operations,  including 
choice  of  technology. 

Because  Wendy’s  is  starting  to  under¬ 
stand  the  importance  of  having  standard 
data  to  fuel  business  initiatives  such  as  sup¬ 
ply  chain  integration,  the  company  was  able 
to  replace  the  phone  lines  and  unstable 
modems  that  stores  were  using  to  transmit 
data  to  headquarters  with  a  satellite  con¬ 
nection  in  September  2002.  The  new,  stable 
network  helped  improve  the  amount  and 
quality  of  data  that  headquarters  collects 
from  both  franchise-  and  company-owned 
stores.  Where  in  the  past  Wendy’s  would 
miss  information  from  as  many  as  40  stores 
out  of  1,200  due  to  unstable  modems,  it  now 
gets  consistent  information  from  1,483  out  of 
1,488  stores  every  night. 

Why  Force-Feeding 
Won’t  Work 

Like  so  many  technology  projects,  BI  won’t 
yield  returns  if  users  feel  threatened  by,  or 
are  skeptical  of,  the  technology  and  refuse  to 
use  it  as  a  result.  And  when  it  comes  to 
something  like  BI,  which,  when  imple¬ 
mented  strategically  ought  to  fundamentally 
change  how  companies  operate  and  how 
people  make  decisions,  CIOs  need  to  be  extra 
attentive  to  users’  feelings. 

When  Wendy’s  began  using  its  BI  system 
to  generate  sales  forecasts  for  stores,  opera- 

58  MARCH  15,  2005  |  www.cio.com 


Tips  for 
Getting  BI 
Right 

>  Analyze  how  executives  make 
decisions. 

>  Consider  what  information 
executives  need  in  order  to 
facilitate  quick,  accurate 
decisions. 

>  Pay  attention  to  data  quality. 

>  Devise  performance  metrics 
that  are  most  relevant  to  the 
business. 

>  Provide  the  context  that 
influences  performance  metrics. 


)  Take  into  account  users’ 
feelings,  and  address  their 
concerns  up  front.  -M.L. 


tors  were  skeptical.  They  didn’t  think  tech¬ 
nology  could  possibly  take  into  considera¬ 
tion  how  local  factors— such  as  weather, 
events  and  traffic  patterns— affect  their 
sales.  Deane  recognized  that  it’s  tough  for 
people  to  quit  relying  on  their  experience 
and  gut,  so  he  listened  to  operators’  con¬ 
cerns.  Instead  of  forcing  them  to  accept  the 
forecasts,  which  he  knew  to  be  extremely 
accurate,  he  told  them  they  could  modify 
the  forecasts  from  the  BI  system  so  long  as 
they  explained  why  and  provided  they  later 
compared  actual  sales  with  what  they  fore¬ 
casted  and  what  the  system  predicted.  The 
operators  who  modified  the  forecasts  real¬ 
ized  that  the  technology  was  often  more 
accurate  than  they  were.  When  they  saw 
that  they  could  improve  their  operations  by 
better  staffing  their  restaurants  and  more 
accurately  ordering  food  to  meet  forecasted 
demand,  they  increasingly  embraced  BI.  In 
effect,  Deane  let  the  users  come  to  the 
trough  on  their  own  terms. 

One  might  argue  that  Wendy’s  could 
have  gotten  better  results  more  quickly  had 
it  forced  store  managers  to  use  the  fore¬ 
casts.  However,  if  it  had,  it  would  have  run 
the  risk  of  facing  mutiny  from  the  opera¬ 
tors.  And  had  store  operators  fought  the 
forecasts,  that  would  have  disrupted  oper¬ 
ations  much  more  than  the  delay  the  com¬ 
pany  experienced  by  letting  operators 
modify  the  forecasts.  Deane  says  being  sen¬ 
sitive  to  users’  concerns  was  more  impor¬ 
tant,  even  at  the  expense  of  slowing  down 
the  rate  of  return. 

“Trying  to  convince  1,500  store  managers 
to  automatically  accept  a  new  tool  that  is 
going  to  have  an  impact  on  their  ability  to 
perform  in  their  store  is  no  trivial  matter. 
You  have  to  be  very,  very  careful  how  you 
deal  with  the  change  management  and  the 
acceptance  side  of  an  implementation,”  says 
Deane.  And  if  you  do  it  right,  you  can  realize 
an  ROI  of  430  percent  over  a  five-year 
period,  according  to  IDC  (a  sister  company 
to  CIO’s  publisher).  Adds  Deane,  “Of  all  the 
projects  that  one  attempts  to  do  as  a  CIO, 
business  intelligence,  if  well  managed  (and 
it’s  not  always  well  managed)  contributes 
far,  far  more  than  it  costs.”  BE1 


Senior  Writer  Meridith  Levinson  can  be  reached  at 
mtevinson@cio.com. 


What  Will  It  Take  for  You 
to  Succeed  in  2005? 

Drawing  on  continuous  research  with  hundreds  of  IT  executives  and  other  business 
leaders  and  experts,  CIO’s  editors  have  identified  the  five  must-dos  that  make  up 
the  successful  CIO’s  2005  Leadership  Agenda.  CIOs  who  marshal  their  efforts 
behind  these  imperatives  will  get  the  most  value  from  IT,  help  their  enterprises 
compete  more  successfully  and  elevate  the  strategic  importance  of  IT. 

We  address  each  of  these  leadership 
priorities,  in  an  intensive  fashion  with 

*|  Drive  Innovation  and  Growth  the  most  robust  multimedia  content 

*■  While  Managing  Costs  ,  ,  .  , 

®  ®  portfolio  we  ve  ever  assembled 

2.  va?uiifiTtrategic  mSBBm  f°rasingietopic 

In  this  issue  we  focus  on  the 

Run  IT  Efficiently 

■  and  Fffapfnwkr  third  imperative,  “Run  IT 

_  Efficiently  and  Effectively,” 

Generation  of  IT  with  a  feature  on  risk  manage¬ 

ment.  Turn  the  page  to  begin 
fulfil  ling  your  leadership 
agenda  for  high-impact  IT. 


LEADERSHIP  IMPERATIVES  FOR  2005 


C  Manage  CXO 
Expectations 


•  More  than  a  dozen  CIO 
feature  articles 

•  Five  topic-specific 
webcasts 

•  A  live  CIO  event  in 
Boston,  May  9-10 

•  Dedicated  website: 
agenda.cio.com 

•  Leadership  tools  and 
models 

•  Article  archives 


Produced  by: 


The  Resource  for 
Information  Executives 


CIOs  are  the 

Reader  ROI 

Why  CIOs  are  tak¬ 
ing  a  leadership 

executives 

role  in  enterprise 
risk  management 

::  The  leadership 
skills  essential  for 

best  positioned 

the  ERM  effort 

;  Ways  that  CIOs 
demonstrate  ERM 

to  champion 

enterprise  risk 

management. 

Use  this  five- 

step  leadership 

strategy  to  get 

the  ball  rolling. 

Part  of  the  CIO  Leadership  Agenda  series 

leadership 

RUNNING  THE  RISK 

BY  ALLAN  HOLMES  ... 

t 

-  ! 

* 

60 


MARCH  15,  2005  |  www.cio.com 


PHOTO  BY  DANUTA  OTFINOWSKI 


NASA  Acting  Deputy  CIO  Scott  Santiago  built  commitment  to  managing 
enterprise  security  risks  through  months  of  meetings  with  division  CIOs, 
security  staff,  engineers  and  line-of-business  managers. 


1  ‘  W 

s 

M  .  1 

www.cio.com  |  MARCH  15,  2005 


61 


Enterprise  Risk  Management 


What  Is 

Enterprise 

Risk 


ERM  is  a  management 
approach  focused  on 
maximizing  shareholder 
value  or  ensuring 
business  continuity  by 
creating  a  single  view 
of  all  risks  (internal 
and  external)  and  an 
executive-level  strat¬ 
egy  to  deal  with  those 
risks.  As  applied  to  IT, 
it  is  the  identification 
and  management  of 
the  risks  that  all  IT 
systems,  policies  and 
procedures  pose  to 
the  financial  and 
operational  health  of 
the  business.  ERM 
connects  the  dots 
between  a  risk  created 
in  one  department  and 
an  outcome  in  another, 
and  offers  a  process 
to  mitigate  those 
risks.  ERM  can  help 
organizations  make 
better  decisions  about 
which  business  invest¬ 
ments  to  make  and 
which  ones  to  avoid. 

To  learn  more  about 
what  ERM  is  and  why 
it  is  important,  see 
“Risk’s  Rewards,” 
www.cio.com/printlinks. 

-A.H. 


On  Feb.  1, 2003,  the 

space  shuttle 
k  Columbia,  its 
m  aluminum 
■  frame  melt- 

W  ing  under 

3,000  degree 
heat,  disinte¬ 
grated  high  in  the 
Texas  sky,  killing  all  seven  astronauts 
on  board.  Nearly  seven  months  after  the 
tragedy,  the  independent  Columbia 
Accident  Investigation  Board  assigned 
the  blame  not  only  to  a  chunk  of  foam 
insulation  that  broke  off  during  liftoff 
and  damaged  the  left  wing  but  equally 
to  a  NASA  management  culture  that 
short-circuited  communication  between 
agency  offices  responsible  for  different 
aspects  of  the  shuttle  program.  Managers 
in  the  geographically  dispersed  NASA 
space  centers  charged  with  shuttle  safety 
had  no  formal  process  for  discussing 
their  concerns  with  each  other  or  devis¬ 
ing  a  comprehensive  strategy  for  miti¬ 
gating  them. 

After  the  investigation,  NASA  exec¬ 
utives  prompted  their  top  managers  to 
improve  internal  communications. 
That’s  when  Acting  Deputy  CIO  Scott 
Santiago,  who’s  in  charge  of  IT  security, 
began  to  look  at  ways  he  could  reduce 
IT  security  risks  throughout  the 
agency.  Although  IT  security  played  no 
part  in  the  shuttle  disaster,  Santiago 
knew  that  the  IT  systems  supporting 
the  shuttle  and  dozens  of  other  NASA 
programs  were  critical  to  the  success 
and  safety  of  space  missions. 

He  noticed  that  information  support¬ 
ing  NASA’s  programs  spanned  the 
agency’s  space  centers.  Thousands  of 
people  across  the  country  were  involved 
in  creating  or  using  information  that 
was  shared  among  different  operations. 
These  people  rarely  communicated  and 
followed  different  policies  and  proce¬ 
dures  for  IT  security.  The  lack  of  con¬ 
sistency  created  unacknowledged  risks 
that  a  virus  or  some  other  breach  could 
compromise  information  that  secures 
people  and  equipment. 

To  begin  accounting  for  those  risks 
and  mitigating  them,  Santiago  took  an 


enterprise  approach:  a  discipline  called  enterprise  risk  manage¬ 
ment.  ERM  focuses  on  maximizing  shareholder  value  or  ensuring 
business  continuity  by  creating  a  single  view  of  all  risks  (internal 
and  external)  and  an  executive-level  strategy  to  deal  with  those 
risks.  Done  right,  ERM  increases  business  value,  while  reducing 
the  potential  for  losses  or  catastrophes,  through  better  decisions 
about  IT  investments  and  improved  systems  management. 

Like  Santiago,  many  CIOs  are  now  faced  with  the  challenge 
of  managing  enterprise  risks,  for  the  simple  reason  that  busi¬ 
nesses  depend  more  than  ever  on  IT  to  be  able  to  function  (see 
“CIO,  It’s  You,”  Page  68).  Yet  ERM  is  complex;  it’s  esoteric;  and 
it  requires  a  culture  change  that  is 
frequently  resisted  by  organiza¬ 
tions,  because  people  view  identi¬ 
fying  risks  as  a  form  of  criticism. 

Santiago  knew  it  wasn’t  going  to 
be  easy  to  get  NASA  managers  to 
change  the  project-oriented  risk 
management  approach  they  had 
used  for  decades.  “People  tend  to 
think  technical,  like  firewalls  and 
VPNs,”  Santiago  explains.  “But  we 
must  look  at  the  bigger  picture  of 
what  is  the  risk  associated  with 
information,  what  [do]  I  need  to  do 
to  protect  that  information  and 
how  [do]  1  manage  it.” 

To  get  the  ERM  ball  rolling, 

CIOs  need  a  leadership  strategy.  So 
we  synthesized  one  based  on  inter¬ 
views  with  nearly  2  dozen  con¬ 
sultants,  academics  and  CIOs  who 
are  practicing  ERM.  You’ll  notice 
that  the  five  steps  in  this  strategy 
apply  to  many  other  leadership 
challenges.  Here’s  how  to  make 
them  work  for  ERM. 


Not  everyone 
understands 
risk.  You  have 
to  adapt  your 
message  for 
the  different 
attitudes 
toward  risk 
that  you 
encounter. 


FIND  INSPIRATION 


Some  CIOs  find  the  inspiration  for  ERM  unavoidable:  Without 
an  enterprisewide  view  of  risk,  people  could  die.  For  example, 
IT  has  become  central  to  the  way  the  Navy  fights.  The  CIO  for 
the  Department  of  the  Navy,  Dave  Wennergren,  is  in  the  midst 
of  deploying  an  enterprisewide  Navy-Marine  Corps  Intranet, 
which,  when  completed  this  year,  will  provide  a  standard  way 
for  land  bases  and  ships  at  sea  to  exchange  real-time  battle 
information.  If  the  system  fails,  sailors  and  fighter  pilots  won’t 
get  the  information  they  need  in  combat,  Wennergren  notes. 
The  Sept.  11  attack  on  the  Pentagon,  which  took  out  the  Navy 
command  center,  exposed  the  risk  to  military  operations  from 


62 


MARCH  15,  2005  |  www.cio.com 


MEANS  A  NETWORK 

THAT  DOES  MORE. 


ProCurve  Networking  by  HP.  More  and  more  businesses  get  more  from  us. 

MORE  VALUE.  Our  solutions'  typically  cost  less.  Much  less. 

MORE  SECURITY.  Our  products  can  help  detect  would-be  intruders  at  the  edge 
of  your  network — before  they  reach  the  core. 

MORE  OPEN.  We’re  interoperable.  That  means  easy  integration. 

MORE  INTELLIGENT.  Run  your  network  from  the  core.  Control  it  to  the  edge. 

MORE  SUPPORT.  Industry-leading  support.  Warranties  that  last  a  lifetime* 

MORE  RELIABLE.  Rigorously  tested.  Meticulously  engineered. 

MORE  EXPERIENCE.  We’ve  been  doing  this  for  25  years. 


Find  out  more  about  ProCurve  Networking.  Call  800-975-7684  Ref  Code  6  or 
download  informative  reports  complete  with  case  studies  and  cost-of-ownership 
analysis  at  www.hp.com/learn/procurve. 


ProCurve  Networking 

HP  Innovation 


♦Ufetime  warranty  applies  to  all  ProCurve  products,  excluding  the  ProCurve  routing  switch  9300m  Series  and  Secure  Access 
700wl  Series,  which  have  a  one-year  warranty  with  extensions  available.  ©2005  Hewlett-Packard  Development  Company,  L.P 


Enterprise  Risk  Management 


locating  communications  equipment  in  a  single  location  and 
underscored  for  Wennergren  why  ERM  is  critical. 

But  sometimes,  especially  if  you’ve  been  handed  a  mandate 
from  the  CEO  or  the  board  of  directors  to  deploy  an  ERM  strat¬ 
egy,  it  takes  a  little  more  work  to  convince  yourself  of  ERM’s 
value.  Up  until  the  mid-1990s,  executives  at  J.R  Morgan  made 
decisions  about  investments  in  new  business  ventures  based  on 
the  forcefulness  of  the  executive  making  the  argument.  That 
strategy  led  to  some  unpleasant  surprises  for  the  bank  when 
new  investments  didn’t  work  out  as  well  as  they  could  have, 
says  Bill  Sharon,  the  bank’s  former  chief  risk  officer  for  tech¬ 
nology,  who  is  now  a  consultant.  J.R  Morgan  executives,  Sharon 
recalls,  would  decide  to  open  offices  in  new  countries  without 
considering  a  range  of  operational  risks,  including  the  impact 
on  IT  and  telecommunications. 

The  bank’s  chairman  at  the  time  asked  executives  for  a  bet¬ 
ter  decision-making  process  for  choosing  investments.  Sharon, 
working  with  the  head  of  the  bank’s  corporate  real  estate  busi¬ 
ness,  took  the  initiative  to  devise  a  process  for  scoping  out  the 
requirements— including  the  IT  needs— for  any  new  business 
initiatives.  When  he  was  finished,  he  realized  that  the  process 
he  had  developed  amounted  to  analyzing  enterprise  risks;  he 
became  sold  on  ERM. 

Sharon  asked  people  in  every  department  how  they  were 
affected  by  a  new  business  initiative.  He  then  developed  a  list 
of  conditions  to  address  before  someone  could  present  a  new 
product  or  location  to  the  executive  committee,  including  what 
IT  investments  or  support  were  needed.  For  the  project  to  be 
approved,  the  project  sponsor  had  to  gather  information  from 
each  business  line  or  department  to  demonstrate  that  they  had 
addressed  the  necessary  implementation  issues.  For  example, 
if  a  new  office  was  opened  in  Mexico  City,  project  sponsors  had 
to  report  on  how  many  computers  would  be  needed,  the  net¬ 
work  connections  required  and  the  reliability  of  electric  power. 
None  of  these  questions  were  being  asked  routinely,  yet  they 
were  often  critical  to  a  new  venture’s  success. 

“I  learned  that  your  responsibilities  in  IT  or  anywhere  in 
the  business  aren’t  bounded,”  Sharon  explains.  “You  can’t  just 
do  your  piece  and  go  home.  Second,  in  [IT],  no  one  really  knows 
what  the  business  strategy  is.  That’s  when  I  realized  ERM  gets 
people  on  the  same  page.” 


DEFINE  YOUR  MESSAGE 


CIOs  who  have  become  ERM  leaders  in  their  companies  say 
defining  your  message  for  why  ERM  is  necessary  is  one  of  the 
most  important  steps  to  raising  awareness  about  it— and  it  is 
arguably  the  most  difficult.  Because  ERM  spans  the  enterprise, 
you  must  understand  the  intricacies  of  the  operations  in  each 
line  of  business.  It  also  requires  you  to  think  about  events  or 
consequences  that  you  may  have  either  ignored  or  preferred  not 


Bill  Sharon,  a  consultant  and  the 
former  CIO  of  McCann  WorldGroup,  took 
the  opportunity  to  educate  colleagues 
about  risk  while  working  on  IT  projects. 


to  consider,  especially  if  the  culture  of  the  corporation  views 
thinking  about  risks  as  pessimistic. 

“You  must  find  a  way  to  describe  the  risk,”  says  David  Wey¬ 
mouth,  former  CIO  with  Barclays  Bank,  who  now  heads  the 
bank’s  business  ethics  strategy.  “If  you  can’t  find  a  way  to 
describe  it,  then  you’ll  never  get  anywhere.” 

That  may  require  you  to  devise  a  new  way  of  talking  about 
IT  with  your  executive  colleagues  and  staff  alike.  At  NASA, 
Santiago  created  an  enterprise  model  for  IT  security  that  is 
replacing  the  traditional  view  that  each  NASA  center  should 
manage  its  own  IT  security.  From  his  perch  at  NASA  head¬ 
quarters,  Santiago  saw  that  most  space  programs  and  the  sys¬ 
tems  that  supported  them  spanned  multiple  NASA  centers, 
which  made  what  happened  at  one  location  dependent  on  what 
happened  at  others. 

Santiago’s  message  centers  around  the  fact  that  information 
must  be  available  to  those  who  need  it.  Thus,  it  has  to  be  pro¬ 
tected  from  threats.  Rather  than  talk  about  securing  individual 
systems,  he  talks  about  securing  what  he  calls  “containers”  of 
information  used  by  NASA  employees.  He  maps  out  who  man¬ 
ages  the  information  in  the  container,  who  has  access  to  it  and 
the  risks  if  that  information  becomes  inaccessible  or  is  altered 
in  any  way.  That  map  can  be  used  to  prioritize  risks  to  data 
and  determine  how  best  to  mitigate  them. 

A  definitive  ERM  message  includes  facts  that  can  be  used  to 


64 


MARCH  15,  2005  |  www.cio.com 


PHOTO  BY  EVAN  KAFKA 


sway  doubters,  says  Barclays’  Weymouth.  He  instituted  a  mon¬ 
itoring  system  to  collect  data  on  Barclays’  operational  systems, 
such  as  the  number  of  times  the  bank  intercepted  a  fraudulent 
payment  or  blocked  a  denial-of-service  attempt.  By  capturing 
how  often  the  IT  shop  has  reduced  the  number  of  incidents 
that  could  have  disrupted  bank  business— which,  for  Wey¬ 
mouth,  are  equivalent  to  risks— he  is  able  to  calculate  savings. 
He  is  also  able  to  use  the  data  to  show  that  Barclays  must  con¬ 
tinue  to  invest  in  IT  to  mitigate  those  risks. 


BE  FLEXIBLE 


Not  everyone  understands  risk,  and  people  view  risks  differ¬ 
ently.  That  means  you  have  to  be  patient  and  give  your  audience 
time  to  understand  what  you  are  talking  about.  Flexibility  is  the 
key  here  so  that  you  may  adapt  your  message  for  the  different 
attitudes  toward  risk  you  encounter. 

George  Westerman,  a  research  scientist  at  MIT’s  Sloan 
School  of  Management  who  is  studying  ERM  in  relation  to  IT, 
illustrates  the  point  with  a  story  about  his  4-year-old  daughter, 
who  enjoys  climbing  on  a  jungle  gym.  When  she  reaches  about 
halfway  up,  she  says,  “Daddy,  look  at  me.” 


“My  impulse  is  to  say,  ‘Great.  Go  all  the  way  to  the  top,’  hop¬ 
ing  to  avoid  the  risk  of  overprotecting  her,”  Westerman 
explains.  “Her  mother’s  inclination  is  to  say,  ‘Get  down  now,’ 
hoping  to  avoid  the  risk  that  our  daughter  may  fall  and  hurt 
herself.  We  both  have  different  ideas  of  risk,  yet  we  both  have 
our  daughter’s  welfare  first.  It  turns  out  that  an  appropriate 
response  is  to  stand  beside  her  and  let  her  climb  as  high  as  she 
wants  and  be  there  in  case  she  falls.”  The  message,  Westerman 
says,  is  that  his  daughter  can  take  a  bigger  risk,  given  the  appro¬ 
priate  safeguards. 

Sometimes  delivering  your  ERM  message  requires  you  to  not 
talk  about  risks  at  all.  When  Sharon  was  CIO  at  the  advertising 
agency  McCann  WorldGroup,  he  sometimes  avoided  the  topic 
altogether.  During  one  project  for  the  agency’s  global  accounts 
group,  he  knew  account  managers  wouldn’t  understand  what  he 
meant  about  managing  risks.  The  group,  which  was  responsible 
for  more  than  100  markets,  was  having  trouble  keeping  track  of 
its  e-mail  and  faxes  from  the  company’s  various  lines  of  business. 
These  communications  were  frequently  lost  or  took  a  long  time 
to  locate,  increasing  the  risk  that  the  group  could  not  respond 
quickly  enough  to  clients. 

Instead  of  discussing  risks,  Sharon  talked  about  how  an 
Intranet  could  improve  the  group’s  service  to  customers.  He 
told  them  he  understood  how  hard  they  were  working,  and 
offered  to  help  them  with  logistics  so  that  they  could  focus  on 
serving  clients  better.  Once  the  website  was  deployed,  he 
recalls,  the  group  started  making  business  decisions  in  real¬ 
time,  reducing  the  risk  that  dissatisfied  clients  would  take  their 
business  elsewhere. 

Other  times,  the  straightforward  approach  works  best.  West¬ 
erman  relates  the  story  of  a  CIO  at  a  Fortune  100  company 
who  needed  to  sell  his  board  of  directors  on  taking  what  seemed 
to  be  a  bigger  than  usual  risk  on  a  large  corporatewide  IT  proj¬ 
ect.  The  company’s  IT  department  had  never  missed  a  deadline 
or  run  over  budget.  The  reason  was 
that  the  IT  department  had  always 
doubled  its  estimates  of  the  amount 
of  time  and  money  needed  to  com¬ 
plete  its  projects. 

The  CIO  decided  this  manage¬ 
ment  approach  was  too  risky  for  the 
company  because  it  didn’t  give  the 
board  accurate  information  with 
which  to  make  business  decisions.  It 
also  gave  the  IT  department  an 
incentive  to  spend  too  much  money. 

The  CIO  decided  that  this  time  he 
would  give  the  board  the  most  accu¬ 
rate  cost  estimate  and  time  line  for 
the  project,  and  explain  that  he 
might  have  to  come  back  for  more 
money  and  time. 

Westerman  says  that  before  the 
meeting,  the  CIO,  typically  a  steady 


CIO  Leadership 
Agenda 

This  story  targets  the 
Leadership  Agenda  topic 
"RUN  I.T.  EFFICIENTLY  AND 
EFFECTIVELY.”  You’ll  find 
more  material  on  this  and 
the  four  other  topics  for 
2005  on  the  new,  dedicated 
website  AGENDA.CIO.COM. 
Look  there  throughout 
the  year  for  articles,  tools 
and  webcasts  on  driving 
innovation,  proving  IT 
value,  running  IT  efficiently, 
developing  leaders  and 
managing  expectations. 

.com 


www.cio.com  |  MARCH  15,  2005 


65 


Enterprise  Risk  Management 


individual,  was  “shaking  in  his  boots.”  The  CIO  assumed  the 
board  would  think  his  approach  lacked  proper  analysis  and 
increased  the  risk  of  project  failure.  But  the  board  approved  the 
project  and  did  not  condemn  the  CIO’s  judgment  when  he  came 
back  a  few  months  later  to  say  that  the  project  would  be  two 
months  late  and  would  cost  more.  The  CIO  had  prepared  them 
by  outlining  the  risks. 


GETOUTOFTHEOFFICE 


Leaving  your  office  to  walk  the  shop  floor,  meet  managers  in 
other  departments  or  travel  to  the  organization’s  key  installa¬ 
tions  is  an  acknowledged  best  practice  for  IT  leadership.  And  it 
is  particularly  important  for  leading  ERM.  That’s  because  ERM 
requires  a  mind-set  change.  There’s  a  tendency  for  employees  to 
ignore  ERM  and  go  back  to  traditional  ways  of  thinking  about 
risk  if  the  ERM  philosophy  and  practices  are  not  reinforced. 

“Leading  the  ERM  effort  requires  the  development  of  personal 
relationships,”  Sharon  says.  “You  have  to  solve  the  problems  that 
are  important  to  your  business  partner,  whether  they  appear 
trivial  or  not,  and  then  introduce  processes  that  expand  their 
awareness  of  the  operations  of  the  business.” 

Santiago  says  he  has  met  with  several  hundred  people  across 
NASA  to  explain  his  view  of  ERM  for  IT  security.  He  has  traveled 
to  NASA  centers,  conducted  teleconferences  and  workshops  to 
offer  advice  and  to  explain  his  enterprisewide  approach  for 
reducing  IT  security  risks.  His  audience  includes  NASA’s  divi¬ 


sional  CIOs,  IT  security  staff,  line-of-business  managers  and 
engineers— anyone  who  will  listen.  After  nine  months,  they’re 
beginning  to  absorb  his  lessons. 

Santiago  held  an  IT  security  workshop  last  December  that 
was  attended  by  computer  security  officials  from  the  space 
shuttle  program.  The  purpose  of  the  workshop  was  to  define 
the  steps  needed  to  construct  a  master  plan  for  IT  security.  One 
task  was  to  decide  what  information  that  moves  between  cen¬ 
ters  must  be  kept  secure.  Then,  the  group  was  able  to  identify 
the  risks  to  the  information— such  as  its  vulnerability  to  viruses 
and  cyberattack,  or  to  its  alteration  (intentionally  or  not)  by  an 
employee— as  well  as  steps  to  mitigate  these  risks. 

“People  began  arguing  with  me  on  how  to  get  it  done,”  San¬ 
tiago  says.  “That  means  they  own  it.  I  know  I’m  successful 
when  they  stop  referring  to  me  and  my  plan  and  start  using  the 
words  I  and  we.”  He  observes  that  the  IT  security  staff  through¬ 
out  NASA  has  begun  to  look  for  operational  risks  on  a  daily 
basis.  ERM  has  become  a  part  of  their  job. 


Your  actions  and  your  attitude  must  match  your  message.  “If  lead¬ 
ers  don’t  follow  through  with  behavior,  then  the  rest  of  [these 
steps]  are  nonsense,”  warns  Bob  Charette,  director  of  the  Cutter 
Consortium’s  ERM  and  governance  practice. 

Business  unit  managers  and  executive  suite  colleagues  may 
view  someone  who  points  out  risks  in  their  area  of  responsibility 


66 


MARCH  15,  2005  |  www.cio.com 


PHOTO  BY  EVAN  KAFKA 


BUSINESS  NEEDS  HAVE  CHANGED... AGAIN. 

YOUR  IT  DEPARTMENT  NEEDS  TO  CHANGE  TO  MEET  THEM. 


ARE  YOU  READY? 


<bmcsoftware 


Learn  more  at  www.remedy.com/ccm 


<  blUC  REMEDY  management 


BMC  SOFTWARE  AND  ITS  REMEDY  SOLUTIONS. 
MANAGE  IT  CHANGE. 

MANAGE  THE  BUSINESS. 


From  comprehensive  discovery  to  change  process  manage¬ 
ment  to  automated  implementation,  BMC  gives  you  the 
ability  to  deploy  a  standardized,  ITIL  -compatible  approach 
to  controlling  change  and  automating  change  lifecycle 
management— from  request  and  planning  through  imple¬ 
mentation  and  verification.  And,  with  a  direct  link  to  the 
BMC  Atrium™  Configuration  Management  Database,  BMC 
Software's  CCM  solution  helps  ensure  that  business-driven 
change  is  implemented  efficiently  and  reliably. 


IT  infrastructures  are  more  closely  tied  to  the  business  than 
ever— necessitating  effective  IT  response  to  ever-evolving 
business  requirements.  Yet,  80%  of  IT  failures  are  a  result  of 
poorly  managed  change. 


BMC  Software's  Change  and  Configuration  Management 
(CCM)  solution,  an  integral  part  of  Business  Service  Manage¬ 
ment,  helps  IT  become  more  responsive  to  change,  and  at 
the  same  time  stabilize  and  protect  the  IT  environment. 


Enterprise  Risk  Management 


Why  IT  must  champion 
enterprise  risk  management 


Among  enterprise  risk  management 
experts,  there’s  widespread  agreement 
that  the  CIO  is  the  most  appropriate 
senior-level  executive  to  lead  her 
company’s  transformation  to  a  risk- 
managed  organization— whether  or  not 
she  wants  to.  “CIOs  are  going  to  be 
dragged  into  the  leadership  position  on 
ERM,”  warns  Bob  Charette,  a  risk  man¬ 
agement  expert  with  the  IT  consultancy 
Cutter  Consortium. 

CIOs  will  be  in  the  ERM  hot  seat  for 
several  reasons.  First  and  foremost:  IT 
is  now  critical  to  most  business  opera¬ 
tions.  When  systems  are  down  because 
of  a  virus  or  power  outage,  so  is  your 
business.  Second:  Because  IT  supports 
every  department,  the  CIO  is  the  senior 
executive  with  the  broadest  knowledge 
of  his  company’s  business  processes. 
Because  of  these  trends,  some  ERM 
experts  predict  that  corporations  will 
begin  to  appoint  board  members  who 
have  a  deep  understanding  of  IT  and  its 
risks.  These  board  members  will  want 
to  talk  to  you. 

For  all  of  these  reasons,  even  if  a 
company  hires  a  chief  risk  officer— an 
ERM  specialist— to  handle  the  corpo¬ 
ratewide  effort,  the  CIO  will  still  have 
a  prominent  leadership  role.  Charette 
notes  that  as  technology  products 
become  commodified,  companies  will 
differentiate  themselves  according  to 
how  effectively  they  use  IT— includ¬ 
ing  how  well  they  manage  its  risks. 

Besides,  says  Bill  Sharon,  who 
recently  left  his  job  as  CIO  at  McCann 
WorldGroup  to  start  his  own  risk  man¬ 
agement  consultancy,  Strategic  Opera¬ 
tional  Risk  Management  Solutions,  the 
chief  risk  officer’s  job  is  to  find  prob¬ 
lems;  it’s  the  CIO’s  job  to  solve  them. 


as  criticism.  In  turn,  those  who  bring  perceived  risks  to  you 
about  IT  systems  may  seem  to  be  criticizing  you.  Resist  the  ten¬ 
dency  to  take  information  about  risks  posed  by  IT  as  negative. 

Instead,  encourage  your  staff  and  colleagues  to  identify  enter¬ 
prise  IT  risks  by  positioning  the  information  about  such  risks 
as  a  chance  to  solve  problems.  Former  Secretary  of  State  Colin 
Powell,  also  a  former  chairman  of  the  Joint  Chiefs  of  Staff, 
encouraged  soldiers  to  bring  him  problems.  “The  day  [they] 
stop  bringing  you  their  problems  is  the  day  you  have  stopped 
leading  them,”  he  says. 

One  way  to  walk  the  ERM  walk  is  to  continually  reinforce 
the  need  for  constant  attention  to  ERM  through  business  con¬ 
tinuity  testing.  Just  like  school  kids  practicing  fire  alarm  drills 
to  emphasize  the  importance  of  fire  safety,  CIOs  should  insist 
on  testing  business  continuity  plans  to  send  the  message  that 
the  organization  is  serious  about  managing  enterprise  risks 
that  stem  from  IT. 

Steve  Randich,  CIO  with  Nasdaq,  relies  on  regular  tests  of 
his  data  center’s  business  continuity  plans  to  remind  his  staff 
that  ERM  is  a  core  principle  for  the  organization.  About  3,300 
companies  are  listed  on  the  Nasdaq,  which  processes  about 
20,000  transactions  a  second  and  receives  information  from 
about  350,000  desktops  and  workstations  worldwide.  If  Nas¬ 
daq  can’t  operate  its  transaction  systems,  it  has  to  close  the 
market.  “We’re  then  out  of  business,”  says  Randich. 

After  9/11,  it  took  four  months  for  Nasdaq  to  permanently 
relocate  its  New  York  City  offices.  The  data  center  was  able  to 
continue  operating  (although  the  government  shut  down  the 
markets  for  four  days),  but  Randich  realized  that  the  company 
needed  a  more  detailed  risk  management  plan.  Nasdaq’s  new 
plan  included  the  extra  equipment  it  would  need  (such  as  desk¬ 
tops  and  Internet  access),  procedures  for  communicating  with 
employees  and  alternative  work  sites  in  case  of  a  disaster. 

Randich  checks  his  assumptions  on  a  biweekly  basis.  He 
doesn’t  just  run  tests  of  his  backup  systems;  he  also  makes  sure 
that  new  employees  are  informed  of  where  to  go  and  what  to  do 
in  case  of  an  emergency.  In  addition,  he  confirms  that  he  has 
enough  cell  phones  to  give  to  employees  in  the  event  that  land¬ 
lines  are  down.  Randich  also  designated  a  team  who,  in  the 
event  of  a  catastrophe,  will  check  in  with  the  300-plus  market 

makers  who  trade  on  the  stock  exchange  to  determine  whether  the  dealers  can  create 
enough  demand  to  keep  the  market  open.  “If  [that  list]  is  out  of  date,  it’s  not  worth  the 
paper  it  is  written  on,”  says  Randich. 

By  testing  the  plan  so  often,  Randich  says  the  message  is  sent  loud  and  clear  to  the 
entire  company  that  the  IT  department  is  serious  about  keeping  the  trading  network  up 
no  matter  what.  “The  idea  is  not  trying  to  figure  all  this  out  in  the  middle  of  a  crisis,”  he 
explains.  “You  make  sure  you  have  it  all  ironed  out.” 

The  bottom  line  is  that  ERM  is  now  essential  to  running  a  company  in  a  world  where 
risks  are  ubiquitous  and  IT  is  both  the  source  and  the  conduit  of  many  of  those  risks.  To 
adopt  ERM,  companies  need  a  credible  leader,  someone,  says  Barclays’  Weymouth,  who  is 
“senior  and  respected  in  the  organization,  someone  [who]  knows  the  fabric  of  the  business.” 

That  person,  says  Weymouth,  is  you.  E0 


Encourage 
your  staff  and 
colleagues 
to  identify 
enterprise 
IT  risks  by 
positioning 
the  informa¬ 
tion  about 
such  risks 
as  a  chance 
to  solve 
problems. 


Washington  Bureau  Chief  Allan  Holmes  covers  risk  and  the  public  sector.  Reach  him  at  aholmes@cio.com. 


68 


MARCH  15,  2005  |  www.cio.com 


Infrastructure  for  the  Mission-Critical  Facilities 
You  Simply  Can’t  Afford  to  Lose,  Ever. 


For  your  FREE  Whitepaper, 
A  Practical  Guide 


For  All  Its 
High  Technology, 
Your  Mission-Critical 
Facility  Is  Still  Only  as 
Strong  as  the  Physical 
Infrastructure 
That  Supports  It. 


No  matter  what  Man  or  Mother  Nature  throws  at  you,  your 
mission-critical  systems  can't  even  blink.  For  today’s  sophisticated 
IT  systems,  a  split-second  failure  wreaks  long-term  conse¬ 
quences.  That's  why,  for  more  than  22  years,  the  nation’s  most 
mission-critical  facilities  have  relied  on  Lee  Technologies. 
Through  early  intervention  and  ongoing  service,  Lee  dramatical¬ 
ly  reduces  the  risk  of  downtime  and  the  costs  of  ownership  for 
mission-critical  facilities. 

Lee  provides  full  lifecycle  data  center  services  and  solutions, 
all  from  a  single  point-of-contact.  We  offer  local  service  with 
national  capabilities,  a  full  line  of  electrical  and  mechanical  prod¬ 
ucts,  superior  technical  expertise,  and  a  National  Operations 
Center  that  monitors  critical  systems,  schedules  maintenance 
and  provides  emergency  service  24/7/365. 

From  design  and  construction  management  to  maintenance, 
staffing  and  monitoring,  we  take  care  of  your  physical  infrastruc¬ 
ture,  so  you  can  confidently  take  care  of  business. 


to  Disaster  Avoidance, 
call  877-654-9662  or  visit 
www.leetechnologies.com/disaster  avoidance 


Lee  Technologies 

MISSION-CRITICAL 
INFRASTRUCTURE  SOLUTIONS 


877-654-9662 

www.leetechnologies.com 


WASHINGTON,  D.C.  •  ATLANTA  •  LOS  ANGELES 


All  products  or  company  names  listed  are  Registered  Trademarks  and  Trademarks  of  their  respective  holders. 


Computing  on  the  Net  is  heading  for  a  big  fall  because 
security  is  a  joke.  So  we  summoned  the  best  minds  to 
see  if  we  could  put  Humpty  back  together  again. 


70  MARCH  15,  2005  |  www.cio.com 


mamas 


wamaaam 


the  Internet 


By  Scott  Berinato  »  «  Illustrations  by  T im  Bower 


Professor  Hannu  H.  Kari  of  the  Helsinki  University  of  Technology  is  a  smart  guy,  but 

most  people  thought  he  was  just  being  provocative  when  he  predicted,  back  in  2001,  that 
the  Internet  would  shut  down  by  2006.  “The  reason  for  this  will  be  that  proper  users’  dis¬ 
satisfaction  will  have  reached  such  heights  by  then  that  some  other  system  will  be  needed,” 


Kari  said,  “unless  the  Internet  is 
improved  and  made  reliable.” 

Last  fall,  Kari  bolstered 
his  prophecy  with  statistics. 
Extrapolating  from  the  growth 
rates  of  viruses,  worms,  spam, 
phishing  and  spyware,  he  con¬ 
cluded  that  these,  combined 
with  “bad  people  who  want  to 
create  chaos,”  would  cause  the 
Internet  to  “collapse!”— and  he 
stuck  to  2006  as  the  likely  time. 

Kari  holds  dozens  of  patents. 
He  helped  invent  the  technol¬ 
ogy  that  enables  cell  phones  to 
receive  data.  He’s  a  former  head 
of  Mensa  Finland.  Still,  many 
observers  pegged  him  as  an 
irresponsible  doomsayer  and, 
seeing  as  how  he  consults  for 
security  vendors,  a  mercenary 
one  at  that. 


Reader  ROI 

Discover  the  root  prob¬ 
lems  behind  today’s 
security  issues 

•  -  Learn  about  some 
Big  Ideas  to  solve  the 
Internet  security  crisis 


And  yet,  in  the  past  year, 
we’ve  witnessed  the  most 
disturbingly  effective  and 
destructive  worm  yet,  Witty, 
that  not  only  carried  a  destruc¬ 
tive  payload  but  also  proved 
nearly  100  percent  effective  at 
attacking  the  machines  it 
targeted.  Paul  Stich,  CEO  of 
managed  security  provider 
Counterpane,  reports  that 
attempted  attacks  on  his  com¬ 
pany’s  customers  multiplied 
from  70,000  in  2003  to 
400,000  in  2004,  an  increase 
of  over  400  percent.  Ed 
Amoroso,  CISO  of  AT&T,  says 
that  among  the  2.8  million 
e-mails  sent  to  his  company 
every  day,  2.1  million,  or  75 
percent,  are  junk.  The  increas¬ 
ing  clutter  of  online  junk  is 
driving  people  off  the  Internet. 
In  a  survey  by  the  Pew  Internet 
and  American  Life  Project,  29 
percent  of  respondents 
reported  reducing  their  use  of 
e-mail  because  of  spam,  and 
more  than  three-quarters,  77 


percent,  labeled  the  act  of 
being  online  “unpleasant  and 
annoying.”  Indeed,  in  Decem¬ 
ber  2003,  the  Anti-Phishing 
Working  Group  reported  that 
more  than  90  unique  phishing 
e-mails  released  in  just  two 
months.  Less  than  a  year  later, 
in  November  2004,  there  were 
8,459  unique  phishing  e-mails 
linking  to  1,518  sites. 

Kari  may  have  overstepped 
by  naming  a  specific  date  for 
the  Internet’s  demise,  but  fun¬ 
damentally,  he’s  right.  The 
trend  is  clear. 

“Look,  this  is  war,”  says 
Allan  Paller,  director  of 
research  for  The  SANS 
Institute.  “Most  of  all,  we 
need  will.  You  lose  a  war 
when  you  lose  will.” 

So  far,  the  information 
security  complex— vendors, 
researchers,  developers,  users, 
consultants,  the  government, 
you— have  demonstrated 
remarkably  little  will  to  wage 
this  war.  Instead,  we  fight  fires. 


pointing  hoses  at  uncontrolled 
blazes,  sometimes  inventing 
new  hoses,  but  never  really 
dousing  the  flames  and  never 
seeking  out  the  fire’s  source 
in  order  to  extinguish  it. 

That’s  why  we  concocted 
this  exercise,  trolling  the  info- 
security  community  to  find  Big 
Ideas  on  how  to  fix,  or  begin  to 
fix,  this  problem. 

Our  rules  were  simple: 
Suggest  any  Big  Idea  that  you 
believe  could,  in  a  profound 
way,  improve  information  secu¬ 
rity.  We  asked  people  to  think 
outside  the  firewall.  Some  ideas 
are  presented  here  as  submit¬ 
ted;  others  we  elaborated  upon. 
Those  who  suggested  techno¬ 
logical  tweaks  or  proposed 
generic  truths  (“educate  users”) 
were  quickly  dismissed. 

What  was  left  was  an 
impressive,  broad  and, 
sometimes,  even  fun  list  of 
Big  Ideas  to  fix  information 
security.  Let’s  hope  some  take 
shape  before  2006. 


MORE  MONEY.. .NEW  REGS.. .A  CZAR.. .SAFER  CODING... » 


www.cio.com  |  MARCH  15,  2005 


71 


Information  Security 


Proposed  Infosecurity  Generals  Warning: 
The  use  of  software  and  hardware  that  is 
not  certified  secure  can  harm  your  system 
and  other  people's  systems,  and  you  may  be 
held  liable  for  those  damages. 

mm  m  m  SSS 


Get  All  the 
Smart  People 
Together  and 
Give  Them 
Lots  of  Money 

The  best  place  to  start  is  with 
a  Big  Idea  to  concentrate  and 
organize  all  the  other  big 
ideas— a  Manhattan  Project 
for  infosecurity. 

Daniel  Wolf,  director  of  the 
Information  Assurance  (IA) 
Directorate  at  the  National 
Security  Agency,  believes  that 
while  good  research  is  taking 
place  in  pockets,  a  massive 
undertaking  to  tame  this 
problem  ought  to  be  instituted. 
“It’s  gaining  legs,”  he  says  of 
his  Big  Idea.  “[The  Department 
of  Defense]  put  together  a 
fairly  significant  working 
group  to  look  at  this.” 

Such  a  project  would  require 
cooperation  among  Wolf’s  I A 
Directorate  (2,700  strong,  by 
the  way),  DoD,  private-sector 
scientists,  academic  researchers, 


foreign  partners,  and  some  of 
the  national  research  labs  such 
as  Sandia  and  the  Defense 
Advanced  Research  Projects 
Agency.  Wolf  wouldn’t  say  how 
much  money  he’d  like  to  see  go 
to  such  a  project,  but  The  SANS 
Institute’s  Paller  throws  out 
$100  million  as  a  good  number. 

Of  course,  the  project  would 
encounter  challenges  different 
from  those  faced  by  the  actual 
Manhattan  Project.  There,  engi¬ 
neers  started  with  a  blank  sheet 
of  paper  and  built  the  bomb 
from  scratch.  With  information 
security,  a  40-year  legacy  of 
poor  coding  and  bad  architec¬ 
tures  must  be  negotiated.  But 
then  again,  the  fact  that  it’s  hard 
is  what  makes  it  so  necessary. 

Hire  a  Czar 

A  surgeon  general-like  figure 
for  security  is  not  only  a  Big 
Idea;  it’s  a  popular  one.  Several 
folks  suggest  creating  some 
kind  of  “government  leader”  or 
“public  CIO  for  security,”  none 


more  vocally  than  Paul  Kurtz, 
the  executive  director  of  the 
Cyber  Security  Industry 
Alliance.  “We  need  more 
leadership  at  a  higher  level  of 
government,”  he  says.  At  the 
Department  of  Homeland 
Security,  he  says,  cybersecurity 
has  been  buried,  and  he 
believes  DHS  should  have 
an  assistant  secretary-level 
person  for  cybersecurity. 

At  press  time,  that  proposal 
had  been  floated  but  didn’t 
make  it  into  the  intelligence 
reform  bill.  Meanwhile,  a  suc¬ 
cession  of  notable  leaders  for 
cybersecurity  resigned  from 
their  DHS  posts— some  suggest 
because  of  frustration  over  the 
low  status  of  the  role  within  the 
agency.  Congress  even  explored 


the  possibility  of  moving  gov¬ 
ernment  oversight  of  cyber¬ 
security  from  DHS  to  the  Office 
of  Management  and  Budget. 

“Somehow,  the  surgeon  gen¬ 
eral  has  this  special  place  with 
us,”  says  Scott  Charney,  chief 
security  strategist  of  Microsoft. 
“We  don’t  have  the  focal  point 
in  security  that  health  care  gets 
with  the  surgeon  general.” 

One  of  the  surgeon  gen¬ 
eral’s  best-known  successes  is 
found  on  the  side  of  cigarette 
packages.  The  smoking  anal¬ 
ogy  cropped  up  repeatedly 
with  big  thinkers.  Once  upon 
a  time,  society  believed  that  if 
you  chose  to  inflict  harm  on 
yourself  by  smoking,  you  were 
free  to  do  so.  The  concept  of 
secondhand  smoke  changed 


! 


Make  Computers  Disposable 


James  Whittaker,  author  of  How  to  Break  Software 
and  coauthor  of  How  to  Break  Software  Security, 
proposes  that  everyone  should  have  two  comput¬ 
ers— one  permanent  and  one  disposable. 

We  should  note  that  Whittaker  doesn't  mean  the 
box  is  disposable,  but  rather  the  information  in  that  second 
system  is  fungible.  Think  of  cash  transactions.  Short  of  a 
receipt,  when  they’re  over,  they’re  over.  In  some  ways,  that’s  a 
security  feature. 

“It  would  likely  be  two  processors  in  one  box,”  Whittaker 
explains.  "The  main  processor  is  your  PC,  where  you  do  all  your 
work  up  to  the  point  of  transaction.  The  second  computer  would 
stay  blank  until  you  were  ready  to  make  your  transaction.  It  would 
handle  the  transaction  and  then,  once  you  were  done,  flash  back 
to  its  blank  state.” 

Whittaker  takes  this  further  and  suggests  that,  like  phone 
cards,  people  could  buy  Internet  transaction  cards  with  dispos¬ 


able  authentication  so  that  they’re  not  putting  credit  card 
numbers  online,  and  no  one  atthe  other  end  is  storingthem 
either.  “Sure,  there  are  tremendous  programming  and  archi¬ 
tecture  challenges  here,  but  I  think  that  would  be  fun.” 

Vint  Cerf,  so-called  father  of  the  Internet  and  acknowledged 
big  thinker,  echoed  Whittaker’s  idea  when  talking  about  the  nee.i 
for  a  certificate  infrastructure  on  the  Internet.  “The  problem  has  ’  3 
always  been,  certificate  revocation  is  a  [pain],”  Cerf  says.  "Some 
people  are  now  saying  instead  of  dealing  with  revocation  of 
credentials  at  all,  you  simply  throw  out  the  certificate  once  it's 
used.  And  every  time  you  have  to  validate,  you  do  it  again.” 

The  cost,  of  course,  is  time  and  convenience  to  the  person  who 
has  to  reauthenticate  for  every  transaction.  Then  again,  that’s 
better  than  having  your  identity  stolen.  Disposable  transactions 
would  redefine  the  Internet  and  completely  upset  the  balance 
of  power  online,  where  hackers  have  feasted  on  insecure  trans¬ 
actions  chiseled  forever  in  digital  stone.  -S.B. 


72 


MARCH  15,  2005  |  www.cio.com 


that  equation  and  now  smok¬ 
ing  is  anathema  in  many 
public  places. 

Networks  are  no  different 
than  smoking  in  the  sense  that 
your  bad  security  habits  can 
adversely  affect  innocent 
bystanders.  Online,  in  fact,  it 
may  be  worse  since  the  second¬ 
hand  smoke  of  cyberspace 
doesn’t  dissipate  with  time  or 
space.  It  debilitates  every 
machine  it  touches  equally,  as 
if  everyone  was  forced  to  take 
a  drag. 

We  propose  a  high-profile 
surgeon  general  for  informa¬ 
tion  security,  who  reports  to 
the  secretary  of  DHS.  Imagine 
labels  on  software  like  those  on 
cigarettes— Infosecurity  Gen¬ 
eral’s  Warning:  The  use  of 
software  and  hardware  that  is 
not  certified  secure  can  harm 
your  system  and  other  people’s 
systems,  and  you  may  be  held 
liable  for  those  damages. 


Wield  Sticks, 
Dangle  Carrots 

Recently,  the  U.S.  Air  Force, 
mired  in  patching  hell,  got  what 
it  wanted  from  Microsoft— 
a  more  secure  version  of  Win¬ 
dows,  configured  uniformly 
across  the  agency.  Microsoft 
agreed  to  the  deal,  according  to 
reports,  because  the  Air  Force 
had  considered  moving  to 
open-source  software.  The  Air 
Force  CIO  and  security  cham¬ 
pion  John  Gilligan  was  quoted 
as  saying  at  the  time,  “We  want 
Microsoft  focused  not  on  selling 
us  products  but  [on  enhancing] 
the  Air  Force  in  our  mission.” 
He  added  that  he  hoped  his 
agency’s  demands  would  spill 
over  to  other  organizations  that 
could  take  advantage  of  the 


secure  configuration. 

At  any  rate,  Gilligan  has  a 
pretty  big  stick  to  wield  (or 
carrot  to  dangle,  depending  on 
whether  you’re  an  optimist 
or  a  pessimist)  to  get  what  he 
wants— a  $500  million  con¬ 
tract.  But  incentives  as  a  Big 
Idea,  to  motivate  others  into 
better  security,  can  be  applied 
by  anyone.  Here  are  some  of 
the  incentives-based  programs 
suggested  to  us: 

■  Get  a  legal  opinion.  Chris- 
tofer  Hoff,  CISO  of  WesCorp, 
says  that  users  should  require 
their  vendors  to  have  lawyers 
run  software  through  the 
assessment  mill  and  churn  out 
a  legal  opinion  on  how  its  secu¬ 
rity  would  hold  up  in  a  liability 


case.  Watch  as  the  vendors 
scramble  to  make  sure  their 
software  can  pass  muster. 

■  Software  Underwriters 
Laboratory  (UL).  Why  not 
warehouse  those  legal  opin¬ 
ions  or  other  independent 
assessments  with  a  UL-like 
organization.  You  wouldn’t 
buy  a  $400  iPod  if  it  didn’t  get 
approved  by  UL,  but  you’d  buy 
a  $4  million  software  system 
with  no  analogous  security 
assessment? 

■  If  those  Big  Ideas  take  off, 
then  watch  as  the  insurance 
industry  uses  the  data  to  adjust 
premiums.  Vendors  would 
instantly  devote  more  resources 
to  building  better,  which  would 
result  in  lower  insurance  rates 
on  their  products. 

■  File  class-action  lawsuits. 
It  may  come  to  this.  Keeping 
with  the  smoking  analogy,  all  it 
will  take  is  a  sufficient  level  of 
outrage  and  damage  before 
enterprising  lawyers— who’ve 
already  tried  this— success¬ 
fully  hold  vendors  accountable 
for  poor  software. 

Treat  End 
Users  Like 
the  Dummies 
They  Are 

Amoroso  of  AT&T  believes 
that  the  fundamental  security 
problem  is  that  during  the  past 
decade,  and  quite  unintention¬ 
ally,  the  network’s  intelligence 
has  migrated  to  the  edge. 
“We’re  all  sys  admins,”  he 
says.  And  millions  of  end 
users  holding  sway  over  their 
security  settings  translates 
to  millions  of  potential  dumb 
configurations,  boneheaded 
double-clicks  and  uninten¬ 
tional  security  lapses.  Acci¬ 
dents  happen,  and  bad  guys 


wwvjr.cio.com  |  MARCH  15,  2005 


73 


Information  Security 


take  advantage  of  the  fact  that 
not  all  end  users  are  created 
equal  in  terms  of  security. 

After  all,  Amoroso  argues, 
do  you  control  power  distribu¬ 
tion  around  your  house,  or  do 
you  just  plug  stuff  in? 

He  thinks  AT&T  can  make 
a  ton  of  money  off  this  idea: 
Return  control  to  the  network 
providers  (like  his  own  com¬ 
pany’s  phone  system  in  the 
1970s,  he  says,  a  time  when 
Ma  Bell  controlled  everything, 
including  the  technology’s 
interface),  and  let  the  providers 
charge  you  for  doing  all  of  the 
filtering,  traffic  analytics, 
worm  detection  and  incident 
response.  “That’s  my  solution,” 
Amoroso  says.  “Create  a 
service.  Make  money.” 

Becky  Autry,  CIO  of  the 
United  States  Olympic 
Committee,  loves  Amoroso’s 
plan.  “It’s  overwhelming;  I’m 
overwhelmed,”  she  sighs. 
Autry  has  a  network  staff  of 
just  three  to  handle  IT  for  three 
training  centers  as  well  as 
x  I  events  security.  “Smaller 
organizations  just  can’t  get 
good  or  dedicated  staff  to  han¬ 
dle  a  problem  that’s  so  large 
and  changing  so  quickly.” 

Eliminate 
All  Coding 
Errors  Within 
Two  Years 

Mary  Ann  Davidson,  CSO  of 
Oracle  and  champion  of  the 
quality  coding  movement,  says 
she’s  tired  of  coders  arguing 
that  their  jobs  are  too  creative 
to  eliminate  errors  such  as 
buffer  overflows— that  coding’s 
an  art,  not  a  science.  She 
applauds  ethical  hacking, 
where  developers  attempt  to 
break  software  before  selling 


Embed 

Security 


Network  guys  are  already  dealing 
with  downtime  and  metrics. 

Why  can’t  security  be  part  of 
that  group?  Shorten  the  loop,” 
says  Edward  Schwartz,  former 
CSO  of  the  Nationwide  insurance  companies. 

He  says  companies  should  reduce  security  as  a 
discipline  and  embed  the  security  team  in  the 
other  departments,  like  journalists  in  Iraq,  with 
just  a  small  CISO’s  office  to  coordinate  and 
strategize  at  a  high  level. 

Christofer  Hoff,  CISO  of  WesCorp,  a  credit 
union  in  California,  has  already  integrated  his 
network  ops  and  security  teams.  “We're  baked 
in  now,  not  painted  on,”  he  says.  “On  its  own, 
infosecurity  is  thought  of  as  this  group  that’s 
scratching  for  budget  and  throwing  technology  at 
the  problem.  As  part  of  an  integrated  network/secu¬ 
rity  team,  we’re  a  unit  to  invest  in.”  He  is  convinced  that 
IT  should  “stop  building  its  business  around  what 
the  wiring  closet  looks  like.” 

That’s  exactly  what  Rick  Roy,  CTO  of  CUNA 
Mutual,  recently  decided.  He  went  to  his  board’s 
audit  committee  (with  the  CSO)  and  proposed  a 
radical  change.  “We  suggested  that  we  forget  the 
old  moat-and-castle  model  of  defense,”  says  Roy. 

“The  new  model  we’ll  focus  on  is  a  complex  shopping  mall,  with  multiple  points  of  entry  and 
exit.  In  a  castle,  either  you  got  to  cross  the  moat  or  you  didn’t.  Here  we  say,  Come  on  in,  but 
before  you  get  into  stores,  I  need  to  know  more  about  you.  And  the  less  I  know,  the  more  doors 
that  are  locked.” 

Roy’s  networking/security  team  is  restructuring  his  network  based  on  this  new  model, 
though  he  doesn’t  even  believe  that  all  the  technology  he  needs  to  make  it  reality  has  been 
invented  yet.  "By  the  vendors’  own  admission,  they’re  a  couple  of  years  away,  so  we’re  a  couple 
of  years  away  from  sleeping  at  night.  But  we’re  going  in  that  direction.”  -S.B. 


"We're  baked  in  now, 
not  painted  on." 

-Christofer  Hoff,  CISO  of  WesCorp 


it.  Davidson  says  some  schools 
now  divide  developer  classes 
in  two,  a  green  team  for  writing 
code  and  a  red  team  for  break¬ 
ing  it.  The  application’s  relative 
security  becomes  part  of  its 
final  grade.  “Why  isn’t  that 
standard  development 
process?”  she  asks. 

Davidson  knows  that,  with 
billions  of  lines  of  legacy  code 


and  billions  more  in  develop¬ 
ment,  eliminating  all  coding 
errors  is  quite  a  lofty  goal.  But, 
“We  need  goals,  right?”  she  says. 
And  if  doing  that  means  limiting 
the  freedom  and  creativity  of 
coders,  Davidson  says,  so  be  it. 
“We  should  be  marching  toward 
a  realm  where  it’s  harder  for 
people  to  create  vulnerabilities. 
We  need  a  revolution,”  she  says. 


Pry  PCs  from 
Their  Cold, 
Dead  Hands 

Guns  are  dangerous;  therefore, 
we  license  them.  We  give  them 
unique  serial  numbers  and  con¬ 
trol  their  distribution.  James 
Whittaker  says  programmable 
PCs  are  dangerous,  so  why  not 
treat  them  like  guns? 


mmmm 


■ 


m&smm 


74  MARCH  15,  2005  |  www.cio.com 


How  Japan  helps  Cisco  Systems 

spin  a  stronger  web 


No  wonder  Cisco  Systems,  the  preeminent 
player  paving  the  information  superhighway,  just 
opened  an  R&D  center  in  Tokyo.  With  broadband 
access  accelerating  and  traffic  five  times  heavier 
on  many  ISP  networks  than  that  carried  by  U.S. 
providers,  Japan  is  where  the  future  of  global 
Internet  growth  is  already  happening. 

Not  only  has  a  government-led  "e-Japan"  initiative 
successfully  incentivized  rapid  broadband  deployment — 
Japan,  as  one  of  most  sophisticated  broadband  markets, 
is  set  to  generate  many  of  the  world's  best  new  business 
models.  Technologies  perfected  here  satisfy  the  most  rigorous 
standards,  so  they  offer  another  huge  payoff:  they  promise  to  be 
powerful  enough  to  serve  any  other  part  of  the  planet. 

So  start  spinning  the  web  to  capitalize  on  the  biggest  market  in  the 
fastest-evolving  economic  region  on  Earth. 


www.investjapan.org/us 


/LA 

mm 


INVE^pjfhAPAN 


JETRQ 


The  Japan  External  Trade  Organization  (JETRO)  is  a  Japanese  government-funded  organization  that 
promotes  trade  and  foreign  direct  investment  in  Japan. 

New  York  •  San  Francisco  •  Los  Angeles  •  Chicago  •  Houston  •  Atlanta 


Information  Security 


“Let’s  make  all  end  user 
devices  nonprogrammable,”  he 
says.  “No  one  can  connect  to  the 
Internet  on  a  machine  that  cre¬ 
ates  code.  If  you  want  a  com¬ 
puter  to  do  programming,  you 
would  have  to  be  licensed.  We 
could  license  software  compa¬ 
nies  to  purchase  programma¬ 
ble  machines,  which  would  be 
completely  traceable  along 
with  the  code  created  on  them.”  1 
That  would  blunt  the  infor¬ 
mation  security  problem— 
suddenly  all  that  intelligence 
at  the  edge  of  the  network  that 
Amoroso  wants  to  pull  back  in 
isn’t  just  gone;  it’s  physically 
stripped.  On  the  other  side, 
new  levels  of  accountability 
and  liability  are  created 


through  licensing  developers 
and  eliminating  anonymity 
from  coding. 

Catch  Some 
Bad Guys 

Time  and  again,  security  types 
bemoan  the  light  sentences 
hackers  get.  If  the  penalties 
were  harsher,  perhaps  people 
wouldn’t  be  so  fast  to  spread 
their  malicious  code. 

But  penalty  is  not  a  deter¬ 
rent;  arrest  is.  Right  now,  the 
bad  guys  know  the  risk  equa¬ 
tion  is  favorable— that  it’s 
extremely  unlikely  they  will  be 
caught.  A  higher  capture  rate 

i 

would  dissuade  them. 

Creating  higher  capture 


rates  has  a  lot  to  do  with 
anonymity  on  the  network— 
or,  more  specifically,  removing 
it.  Many  of  the  Big  Ideas  in  this 
space  propose  less  anonymity- 
licensure,  for  example.  Micro¬ 
soft’s  Charney  wonders  what 
effect  automatic  traceback 
packets—  knowing  quickly 
and  reliably  where  data  came 
from— would  have.  “It’s  an 
astounding  thought,”  he  says. 

And  then,  he  immediately 
comes  up  with  the  problems  it 
presents.  Traceback  tells  you 
where,  not  who.  And  privacy 
issues  get  thorny  quickly.  “Can 
you  use  the  highway  anony¬ 
mously?”  Charney  asks.  “No. 
But  you  also  can’t  be  stopped  for 
no  reason.  More  complicated 


than  that,  the  Supreme  Court 
has  already  ruled  that  you  can’t 
force  someone  to  attach  their 
name  to  political  speech  if  they 
don’t  want  to.  So  do  you  create 
an  anonymous  part  of  the  Inter¬ 
net  to  ensure  free  speech?  And  if 
so,  what  stops  bad  guys  from 
just  using  that?” 

Still,  if  privacy  issues  could 
be  worked  out,  and  capture 
rates  went  up,  attempted 
attacks  would  go  down. 

Call  the 
Cybercops 

Part  of  increasing  capture  rates 
would  have  to  include  better 
policing.  To  help  this,  Bill  Boni, 
CISO  of  Motorola,  has  come  up 


If  All  Else  Fails  *  Regulate 


Don't  tell  my  Republican  friends,  please,"  says  one  CISO,  a  registered  GOP 
member.  “I  know  I’m  usingthe  R-word.  But  this  is  the  fundamental  prob¬ 
lem.  This  is  a  market  failure  with  no  consequence  in  law.  What  we’re 
heading  for  is  [a]  major  disaster.  Then  afterward,  we’ll  have  to  do  regu¬ 
lation  anyway.  And  it  will  be  overreaching,  emotional  and  bad." 

He’s  not  alone  in  his  opinion.  Even  regulation-phobic  congressional  Republi¬ 
cans  have  been  suggesting  that  the  current  state  of  information  security  can  no 
longer  go  unregulated. 

The  Big  Idea  seems  to  be  to  emulate  the  Sarbanes-Oxley  Act:  Force  compa¬ 
nies  to  report  to  the  Securities  and  Exchange  Commission  compliance  with  an 
information  security  standard  based  on  the  International  Organization  for  Stan¬ 
dardization’s  ISO  17799  or  something  similar.  Rep.  Adam  Putnam  (R-Fla.)  went 
so  far  as  to  introduce  an  amendment  to  existing  legislation  that  would  make 
security  part  of  purchasing  decisions  for  government  agencies. 

But  mandating  software  security  may  be  just  the  beginning.  Other  ideas  float¬ 
ing  around  include:  Internet  postage  to  effectively  dam  the  torrent  of  spam 
and  mandated  security  functions  built  into  computers  the  way  seat  belts 
and  air  bags  are  built  into  cars;  another  source  suggests  that  companies 
handling  sensitive  transactions  be  required  to  diversify  the  portfolio  of 
technology  they  use  (just  as  brokers  diversify  financial  portfolios  to  offset 
risk),  forcing  companies  to  use  more  than  one  operating  system. 

“The  government’s  on  the  warpath  right  now,”  says  Paul  Proctor,  a  vice 
president  of  Meta  Group.  “I’ve  watched  organizations  blow  off  security  for 
20  years.  [Regulation]  makes  companies  move.  It  costs  them  money  but  the 
reality  is,  they’re  not  doing  this  stuff,  and  they  need  to  be  forced.”  -S.B. 


m 


76  MARCH  15,  2005  |  www.cio.com 


and  receive 

any  of  these  3  valuable 
APC  white  papers  within 
the  next  90  days  for  FREE! 


Key  Code  y613y 
http://promo.apc.com 

(888)  289-APCC  x3360  •  FAX;  (401 )  788-2797 


Legendary  Reliability 


Choose  and  receive  any  of  these  3  APC 
white  papers  within  the  next  90  days  for  FREE! 

□  White  Paper  #40  "Cooling  Audit  for  Identifying  Potential  Cooling  Problems  in  Data  Centers" 

□  White  Paper  #42  "Ten  Steps  to  Solving  Cooling  Problems  Caused  by  High  Density  Server  Deployment 

□  White  Paper  #1 17  "Network-Critical  Physical  Infrastructure:  Optimizing  Business  Value" 


□  YES! 


Please  send  me  my  FREE  white  papers. 


□  NO, 


I'm  not  interested  at  this  time,  but  please  add  me  to  your  mailing  list. 


Name:  Title: 


Company: 

Address: 

Address  2: 

City/Town: 

State: 

Zip: 

Country: 

Phone: 

Fax: 

E-mail: 

Yes!  Send  me  more  information  via  e-mail  and  sign  me  up  for  APC  PowerNews  e-mail  newsletter.  Key  Code  y613y 


What  type  of  availability  solution  do  you  need? 

□  UPS:  0-1 6kVA  (Single-phase)  □  UPS:  10-80kVA  (3-phase  AC)  □  UPS:  80+ kVA  (3-phase  AC)  □  DC  Power 

□  Network  Enclosures  and  Racks  □  Precision  Air  Conditioning  □  Monitoring  and  Management  □  Cables/Wires 

□  Mobile  Protection  □  Surge  Protection  □  UPS  Upgrade  □  Don't  know 

Purchase  timeframe?  □  <  1  Month  □  1-3  Months  □  3-12  Months  □  1  Yr.  Plus  □  Don't  know 
You  are  (check  1):  □  Home/Home  Office  □  Business  (<1000  employees)  □  Large  Corp.  (>1000  employees) 

□  Gov't.,  Education,  Public  Org.  □  APC  Sellers  &  Partners 


©2004  APC  All  trademarks  are  the  property  of  their  owners  ISX4A4EB-USe  •  E-mail  esupport@apcc.com  •  132  Fairgrounds  Road.  West  Kingston.  Rl  02892  USA 


BUSINESS  REPLY  MAIL 

FIRST-CLASS  MAIL  PERMIT  NO.  36  WEST  KINGSTON,  Rl 
POSTAGE  WILL  BE  PAID  BY  ADDRESSEE 


AMERICAN  POWER  CONVERSION 


ATTENTION  CRC:y613y 
Department:  C 
132  FAIRGROUNDS  ROAD 
PO  BOX  278 

WEST  KINGSTON  Rl  02892-9920 


NO  POSTAGE 
NECESSARY 
IF  MAILED 
IN  THE 

UNITED  STATES 


How  to 
Contact  APC 


Call:  (888)  289-APCC 

use  the  extension  on  the 
reverse  side 

Fax:(401)  788-2797 

Visit  :  http://promo.apc.com 

use  the  key  code  on  the  reverse 
side 


Legendary  Reliability' 


BEST  OF  INTEROP 

NETWORLD  INTHOP 


O  CRN  CtfHpOti™, 

NETWORK  aehkwas 


BLADE 

READY 


APC  solutions  that  carry 
the  "Blade-Ready"  Logo 
are  designed  to  handle  the 
demanding  network-critical 
physical  infrastructure 
requirements  of  high-density 
blade  server  applications. 


Chamber  Doors 

Access  to  hot  aisle, 
locks  for  security 


Now  you  can  quickly  deploy  a 
standard-  or  high-density  site  of  any  size 
with  scalable,  top-tier  availability. 


Part 

Number 

Usable 

IT  Racks 

Average 
kW  per  Rack 

Price  Price  to  lease 

to  buy  (36  installments) 

ISXCR1SY16K16P5 

1 

up  to  5kW 

$1 4,999*  $499* 

ISXT240MD6R 

6 

up  to  5kW 

S1 49,999*  s4,999* 

ISXT240MD11R 

11 

up  to  5kW 

*249,999*  *7,999“ 

ISXT280MD40R 

40 

up  to  5kW 

$699,999*  *21,999" 

ISXT2800MD100R 

100 

up  to  5kW 

$1 ,649,999*  *50,999“ 

High  Density  Configuration  (shown  above) 

ISXT280HD8R 

8 

up  to  lOkW 

*399,999*  $1 2,999“ 

All  multi-rack  configurations  feature: 

if  N+  7  power  and  cooling 
if  Secure,  self-contained  environment 
if  Peak  capacity  of  20kW  per  rack 
if  Enhanced  service  package 
if  Integrated  management  software 


High  density  upgrades  start  at  $1 0,999 
On-site  power  generation  options  start  at  s29,999 


InfraStruXure™  Manager 


What  is 
data  center 
on  demand? 


Order  your  solution  today.  Call  888-289-APCC  x3360 


Visit  today  and  receive  FREE  APC  White  Papers 

Visit  us  online  and  download  APC  White  Papers. 


Don't  see  the  configuration  you  need? 


Infrastructure 

DATA  CENTERS  ON  DEMAND 

Highly  available  and  manageable, 
quick-to-install,  scalable  architecture 
that  easily  supports  both  standard- 
and  high-density  applications. 

-  Up  to  20k  W  a  rack  for  any 
blade  server  application 

-  Unlimited  racks 

-  Ships  in  5  days*** 

-  Installs  in  7  day*** 

-  Optional  on-site  power 
generation 

-  Raised  floor  not  required 

-  Vendor  neutral  guaranteed 
compatibility 


Try  APC's  online  InfraStruXure  BuildOut  Tool  today  and  build  your  own  solution. 


S  Go  to  http://promo.apc.com  and  enter  key  code  y613y  Call  888-289-APCC  x3360  Legendary  Reliability® 


InfraStruXure  "  BuildOut  Tool 


'  Prices  do  not  include  IT  equipment  and  are  subject  to  change.  '*  Indicative  rates  are  subject  to  market  conditions.  ***  Install  and  delivery  times  may  vary 


©2005  American  Power  Conversion  Corporation  All  trademarks  are  the  property  of  their  owners.  E-mail:  esupport@apcc.com  •  132  Fairgrounds  Road,  West  Kingston,  Rl  02892  USA  ISX4D4EF-USc 


Information  Security 


with  the  Big  Idea  of  a  cyber¬ 
security  version  of  Interpol. 
“The  problem  with  existing 
collaboration  on  cybercrime  is, 
it’s  episodic  and  it  ignores  the 
fact  that  investigation  requires 
the  significant  participation  of 
the  private  sector.”  With  a 
“Cyberpol,”  you  could  license 
private  eyes  and  forensic 
experts  who  not  only  would 
facilitate  the  cooperation  but 
also  would  improve  response 
time,  as  there  already  isn’t 
enough  law  enforcement  for 
cybercrime. 

“Every  railroad  has  its  own 
police  who  don’t  have  to  call  for 
backup  if  you’re  doing  some¬ 
thing  wrong  on  their  property,” 
Boni  says.  “In  Canada,  law 
enforcement  has  simply  out¬ 
sourced  white-collar  crime 
investigation  to  licensed  private 
investigators.  The  Mounties  just 
said,  We  can’t  deal  with  it.  You 
investigate,  and  if  we  need  to  be 
called  in,  then  bring  it  to  us.” 

A  Cyberpol  would  facilitate 
international  cooperation  on 
investigations  as  well.  That’s 
key,  as  many  virus  writers  live 
and  work  overseas,  under  the 
cover  of  fuzzy  international  law 
and  law  enforcement  agencies 
with  varying  appetites  for 
investigating  cybercrime. 

Unleash  the 
Power  of 
XML  and 
Meta-Data 

Part  of  the  problem  of  secur¬ 
ing  business  online  is  that  the 
risk  is  often  invisible.  In  the 
physical  world,  visual  clues 
exist  to  help  us  discern  who’s 
a  legitimate  merchant  and 
who’s  a  crook.  We  know  which 
neighborhoods  to  go  to  and 
which  ones  to  avoid. 


Several  people  suggest 
using  XML  and  meta-data 
to  tag  websites  with  safety, 
reputation,  past  performance 
and  other  security  ratings  to 
act  as  signposts  for  dangerous 
cyberneighborhoods.  A  vir¬ 
tual  Better  Business  Bureau 
could  manage  the  data  so  that 
when  users  visit  a  website, 
their  computers  pull  down  the 
XML  meta-data  about  that 
site.  The  data  might  tell  the 
browser  to  go  ahead  and  load 
the  page  because  this  really  is 
a  bank’s  website,  their  reputa¬ 
tion  is  good,  and  they  use 
strong  encryption  and  have 
appropriate  privacy  policies. 
At  bad  sites,  the  browser 
would  simply  deny  the  page 
load,  thereby  preventing  a 
phishing  scam  or  some  spy- 
ware  from  being  installed  on 
the  user’s  system. 

Setting  up  that  independent 
managing  body  to  not  only 
create  the  meta-data  criteria 
but  to  manage  it,  too,  would  be 
a  huge  job.  But  it  would  pro¬ 
tect  us  from  our  blindness  to 
online  warning  signs  in  pro¬ 
found  ways. 

Dictate  What 
Software 
Shouldn't  Do 

Specs  rule  the  development 
process.  They  dictate  what  a 
new  software  application 
should  do,  yet  they  rarely 

1 

include  what  an  application 
shouldn’t  do— like  run  code  by 
itself  or  allow  anonymous 
access  or  allow  the  destruction 
of  data  because  of  bugs.  What  if, 
from  now  on,  all  specs  docu¬ 
ments  were  required  to  include 
antirequirements,  such  as  a 
laundry  list  of  common  fea¬ 
tures,  potential  unintended 
consequences  and  bugs  that  the 


End 

Amateur 

Hour 


Licensure  is  so  prevalent— one  can’t  fish  without 
a  license— it’s  hard  to  understand  why  it  hasn’t 
come  to  the  Internet  yet.  Or  to  programming. 

In  fact,  one  of  the  most  prevalent  Big  Ideas  we 
received  was  to  license  programmers.  Make 
them  sign  their  code.  Make  them  take  a  Hippocratic  oath. 
Professionalize  the  profession.  “Make  computer  science 
college  students  take  ethics  classes,”  says  United  States 
Olympic  Committee  CIO  Becky  Autry.  “Technology  ethics. 
Business  ethics.  Life  ethics.” 

In  short,  create  professional  standards,  which  in  turn  raise 
the  baron  what  gets  developed  and  its  level  of  vulnerability.  At 
some  point,  like  with  bridges  and  skyscrapers,  you  could  use 
these  services  without  much  worrying  about  their  integrity. 

“My  first  job  was  as  a  technical  investigator  of  engineering  fail¬ 
ures,”  says  Oracle’s  Davidson,  wondering  why  such  a  job  doesn’t 
exist  for  software.  "We  don’t  have  building  codes.  I  worked  in 
construction  management  in  the  Navy.  I  remember  we  used  to 
X-ray  welds.  The  welder  had  a  license  too.  And  you  still  X-rayed 
the  welds.  We  don't  have  that  on  the  Internet.”  -S.B. 


m&mm 


■BilllilBil'IllliriillMlIiB—MBMMMB 


78  MARCH  15,  2005  |  www.cio.com 


JUST  BECAUSE  THE  SYSTEM  IS  DOWN 
DOESN’T  MEAN  THE  PEOPLE  USING  IT  SHOULD  BE 


Constant,  uninterrupted  access  to  critical  data,  systems  and  people.  Even  when  something  goes  wrong.  That’s  Information  Availability.  And  one  of  the 
best  ways  to  virtually  guarantee  Information  Availability  is  by  running  your  production  systems  out  of  our  facilities.  You  manage  your  applications  and 
data  while  SunGard  Availability  Services  helps  to  ensure  that  the  infrastructure  and  technical  support  you  need  is  always  on.  SunGard  can  offer  a  secure 
and  scalable  environment  at  a  lower  operational  cost  for  production.  Plus  we  have  over  60  state-of-the-art  hardened  facilities  with  network, 
power  and  equipment  redundancies  that  are  unparalleled.  For  a  free  copy  of  the  IDC  White  A  DH8 1  Keeping  People 

wwlliMMIll/  |  and  Information 

Connected 


Availability  Services 


Paper:  “Ensuring  Information  Availability”  visit  www.availability.sungard.com/idcwp 


Information  Security 


application  must  actively 
eliminate  from  occurring 
before  the  product  ships? 


There  could  be  a  public  network  (like  today's]  and 
then  a  business  network,  for  which  you  would  have 
to  be  licensed  to  use. 


Senior  Editor  Scott  Berinato  can  be 
reached  at  sberinato@cio.com. 


Start  a  Virtual 
Big  Dig 

In  Boston  in  the  late  ’90s,  the 
main  highway  through  town 
was  rebuilt  as  a  tunnel  while 
the  old  road  remained  open. 
Engineers  compared  it  to  open 
heart  surgery  on  a  patient 
going  about  his  business.  It 
was  called  The  Big  Dig. 

It  disrupted  commuters 
some,  took  too  long  to  com¬ 
plete,  cost  far  too  much,  and 
the  new  tunnel  leaks  a  bit.  Still, 
as  a  feat  of  engineering,  it 
mostly  worked.  One  of  the 
most  radical  and  ambitious  Big 
Ideas  is  to  build  a  new,  secure 
Internet  parallel  to  the  old  one 
and,  over  time,  move  everyone 
over  to  the  new  network.  A  vir¬ 
tual  Big  Dig,  perhaps  part  of 
our  Manhattan  Project. 

Let’s  be  clear:  Internet2  is 
probably  not  this  parallel  net¬ 
work.  Vint  Cerf  notes  that  the 
point  of  Internet2— which  is 
an  advanced  network  for  the 
research  community  that  can 
classify  traffic  and  do  other 
cool  things  the  Internet  can’t— 
is  to  become  the  sandbox  for 
researchers  that  the  Internet 
originally  was,  before  it  was 
consumed  by  the  commercial 
sector. 

Cerf  himself  has  mixed  feel¬ 
ings  about  a  new  parallel  net¬ 
work  being  developed.  “Boy, 
it’s  hard  to  tell  how  that  would 
work,”  he  says.  “We’re  seeing 
things  like  overlays— protocols 
and  procedures  that  overlay 


the  existing  Internet  and  do 
networking  in  ways  different 
than  the  Internet  does  it.  Hey, 
the  Internet  itself  was  an  over¬ 
lay  of  ARPAnet.”  Gregg  Mas- 
toras,  a  senior  security  analyst 
at  antivirus  vendor  Sophos, 
suggests  that  we  could  bifur¬ 
cate  networks  so  that  there’s  a 
public  network  (like  today’s) 
and  then  a  business  network, 
for  which  you  would  have  to 
register  and  agree  to  rules  in 


order  to  be  licensed  to  use. 

There’s  no  question  new 
public  networks  would  be 
monumental  undertakings. 
Wolf  at  the  NS  A,  for  example, 
is  part  of  the  Global  Informa¬ 
tion  Grid  (GIG)  project— 
essentially  the  DoD’s  effort  to 
build  a  secure  network  for  all 
of  defense  and  intelligence  to 
share.  He  gets  to  build  security 
into  this  network  from  the 
beginning,  exactly  what  would 

mmmmmmmmmmmmmmmmmmmmmmmssm 


have  to  happen  for  a  new 
secure  Internet  to  be  built. 
Version  1  of  Wolf’s  Informa¬ 
tion  Assurance  plan  for 
GIG  was  3,600  pages  and 
included  requirements  for  117 
technologies  in  various  stages 
of  development. 

But  if  an  alternative  secure 
network  could  be  built,  it 
would  create  a  tectonic  shift 
in  security  and  tip  the  vul¬ 
nerability  scale  in  favor  of 
the  good  guys.  Even  if  it 
leaked  a  little.  BEl 


80  MARCH  15,  2005  |  www.cio.com 


:! 


IP  Telephony  •  Switching  •  Wireless  •  Routing  •  Security 


Choose  a  platform  that  takes  your 
business  wherever  it  needs  to  go. 

With  our  innovative  IP  Telephony,  switching,  wireless,  routing,  and  security 
solutions,  3Com  offers  an  easy  route  to  secure,  converged  enterprise 
communications.  Open  standards  and  reduced  complexity  give  you  the 
freedom  to  grow  your  network  as  business  needs  dictate.  There's  more 
than  one  route  to  success. 

Choose  3Com  and  get  your  network  on  the  right  track. 


Whatever  your  enterprise  network 


needs. 


To  learn  more  about  the  power  of  choice  visit 

www.3com.com/enterprise1 5 


3Com 


Exercise  Choice  " 


x  r* 


irrjn 


State  Street,  the  $5.5  billion  Boston-based  financial 
services  company,  manages  $1.2  trillion  in  assets. 
Often  derided  as  “Staid  Street,’'  its  $1.5  billion  acquisi 
tion  of  Deutsche  Bank  was  considered  daring  by  many 
and,  to  date,  largely  successful. 


PHOTO  BY  GEOFFREY  KULA 


When  State  Street 
acquired  Deutsche  Bank 
Global  Securities  Services, 
it  had  to  decide  whether  to 
keep  or  retire  more  than 
900  inherited  applica¬ 
tions.  The  guiding  force 
that  helped  it  do  that— and 
migrate  more  than  11,000 
customer  portfolios— is 
called  governance. 

By  Sarah  D.  Scalet 

k  HIGHER 

IF  INFORMATION  TECHNOLOGY  HAS  A  GOD,  HIS  NAME  IS  GOVERNANCE. 

Good  but  elusive,  pervasive  but  difficult  to  quantify,  powerful  but  intangible,  the  ideal  of  IT 
governance  has  been  sought  by  CIOs  ever  since  the  concept  began  to  attract  a  following  in  the 
late  1990s. 

Apostles  like  the  MIT  Sloan  School’s  Peter  Weill  have  extolled  its  benefits.  “Companies 
with  better  than  average  IT  governance  earn  at  least  a  20  percent  higher  return  on  assets 
than  organizations  with  weaker  governance,”  he  asserted  in  these  pages  last  June  15  (see 
“Recipe  for  Good  Governance,”  zvww.cio.com/printlinks),  upon  the  release  of  his  book  (with 
Jeanne  W.  Ross)  IT  Governance:  How  Top  Performers  Manage  IT  Decision  Rights  for  Superior  Results. 

One  company  Weill  identifies  as  an  exemplar  of  good  IT  governance  is  State  Street,  the 
$5.5  billion  Boston-based  financial  services  company  that  manages  $1.2  trillion  in  assets.  And 
few  situations  reveal  IT  governance  in  action  as  well  as  the  massive  integration  project  that  fol¬ 
lowed  hard  on  the  heels  of  State  Street’s  daring  acquisition  of  Deutsche  Bank  Global  Securi¬ 
ties  Services  in  2003. 

Acquisitions  are  “a  fabulous  opportunity  to  test  the  limits  of  governance,”  says  Weill, 
director  of  the  Sloan  School’s  Center  for  Information  Systems  Research.  “What  good  gov¬ 
ernance  does  is  it  makes  decision  rights  and  accountabilities  clear.  Instead  of  arguing 
over  or  even  wondering  who  should  make  certain  decisions,  the  company  can  go  about 


Reader  ROI 

::  How  governance  worked  in 
one  high-stakes  acquisition 

::  How  strategy  informs  gov¬ 
ernance  and  governance 
serves  strategy 

::  How  to  understand  and 
improve  your  own  gover¬ 
nance  processes 


www.cio.com  |  MARCH  15.  2005 


83 


Governance 


making  the  integration  work.” 

Analysts  call  the  State  Street-Deutsche 
Bank  integration,  now  nearly  complete,  a  suc¬ 
cess.  State  Street  has  held  onto  an  impressive 
88  percent  of  the  revenue  generated  by  the 
Deutsche  Bank  business,  falling  just  2  per¬ 
cent  short  of  the  acquisition’s  ambitious  goal. 

Yet  State  Street  CIO  Joseph  Antonellis,  a 
hard-nosed  MBA,  struggles  to  identify  how 
much  of  that  88  percent  is  attributable  to  IT 
governance.  “I  don’t  know  if  I’d  attribute  any 
of  it”  to  governance,  he  admits. 

In  other  words,  even  this  top  disciple  has 
a  difficult  time  explaining  the  mysteries  of 
IT  governance.  “I  guess  I  attribute  the  pro¬ 
ject’s  success  to  the  fact  that  the  conversions 
went  seamlessly,”  Antonellis  continues.  “We 
were  able  to  service  clients,  and  that  hap¬ 
pened  because  we  have  a  good  IT  gover¬ 
nance  process  and  good  execution  on  IT.  You 
have  to  keep  the  revenue  and  keep  your 
clients  happy,  but  you  can’t  do  it  at  all  costs. 
The  IT  governance  process  allowed  us  to 
work  with  the  business  units  to  make  those 
balanced  decisions  more  profitable.” 

“IT  governance”  is  the  name  Antonellis 
gives  to  the  higher  power  that  guided  him 
through  those  myriad  decisions— a  power 
that  he  agreed  to  try  to  explain. 


The  Acquisition: 

A  Leap  of  Faith 

In  January  2003,  when  State  Street  spent 
$1.5  billion  acquiring  the  business  unit  of 
Deutsche  Bank  that  serviced  global  stocks 
and  bonds  for  institutional  clients,  it  wasn’t 
because  State  Street  wanted  Deutsche  Bank’s 
technology.  State  Street  had  its  own  tech¬ 
nology  that  it  believed  was  superior  to  the 
900  applications  it  would  inherit.  And  it 
didn’t  necessarily  want  Deutsche  Bank’s 
employees.  About  1,000  of  the  3,000 
Deutsche  Bank  employees  transferred  to 
State  Street  were  soon  laid  off. 

No,  the  prize  for  State  Street  was  Deutsche 
Bank’s  more  than  600  global  securities 
clients.  The  acquisition  would  instantly 
nearly  double  State  Street’s  business  in  most 
of  the  major  European  markets,  and  once  it 
took  over  those  portfolios,  State  Street  exec¬ 
utives  were  confident  they  would  be  able  to 
cross-sell  other  services. 

Analysts,  however,  were  skeptical.  The 
acquisition’s  success  was  predicated  upon 
State  Street  retaining  90  percent  of  the  rev¬ 
enue  of  the  acquired  business,  even  though 
typical  revenue  retention  rates  in  a  customer 
acquisition  are  closer  to  80  percent,  accord¬ 
ing  to  Guillermo  Kopp  of  Tower  Group,  a 


If  we  didn’t  have  an  IT  governance 
process,”  says  State  Street  CIO  JOSEPH 
ANTONELLIS,  “we  wouldn’t  have  an 
enterprise  architecture;  we  wouldn’t 
have  standards;  we  wouldn't  have 
best-practice  procedures.”  j 


financial  services  consultancy.  And  all 
this  was  happening  during  an  extremely 
difficult  time  for  the  normally  placid,  two- 
century-old  company  sometimes  called 
“Staid  Street.”  After  a  24-year  run  of 
double-digit  profits.  State  Street’s  earnings 
had  come  to  a  screeching  halt  in  2001.  Soon 
after  the  acquisition,  the  company  posted  its 
first  quarterly  loss  in  26  years. 

The  company  would  have  to  build  capac¬ 
ity  to  absorb  the  11,000  portfolios  of 
Deutsche  Bank’s  600-plus  clients,  migrate 
the  new  client  data  and  shut  down  the 
Deutsche  Bank  systems— and  do  so  swiftly, 
before  too  many  clients  decided  to  go  with 
competitors  who  offered  them  a  better  deal. 

This  strategy  of  quick  data  migration  is  a 
best  practice,  says  Kopp,  who  is  Tower 
Group’s  vice  president  of  financial  services 
strategies  and  IT  investments.  “You  put  a  lit¬ 
tle  more  effort  up  front  in  doing  that  migra¬ 
tion,  but  then  you  don’t  have  to  maintain 
duplicate  systems,”  he  explains. 

Along  the  way,  any  stalled  decision  could 
have  slammed  the  project  into  a  wall. 
According  to  John  Petrey,  executive  vice 
president  and  CIO  of  Banknorth,  which  has 
made  dozens  of  acquisitions  in  the  past  sev¬ 
eral  years,  “Not  being  able  to  get  decisions 
made  is  probably  the  single  biggest  risk  to 
not  having  a  successful  merger.  You  have  to 
get  decisions  made  by  certain  deadlines,  or 
you’re  dead.” 

But  it  wouldn’t  take  a  miracle  for  State 
Street  to  make  its  decisions  on  time. 

It  would  take  good  IT  governance. 

The  Hierarchy: 

How  State  Street  Made 
11,000  Decisions 

Ask  for  a  definition  of  IT  governance,  and  as 
likely  as  not  you’ll  get  a  description  of  its  com¬ 
ponents— a  group  of  things  that,  together,  add 
up  to  governance.  At  State  Street,  those  com¬ 
ponents  are  a  group  of  committees  through 
which  decisions  cascade  as  strategy  generates 
policy,  which  is  then  executed.  And  migrating 
11,000  Deutsche  Bank  client  portfolios  was 
going  to  take  a  lot  of  execution. 

At  the  top  of  State  Street’s  governance 
pyramid  is  the  Operating  Group,  which  con¬ 
sists  of  the  CEO,  vice  chairman,  CIO,  CFO, 
the  head  of  human  resources  and  the  three 
heads  of  the  major  business  lines:  custody, 


84 


MARCH  15,  2005  |  www.cio.com 


PHOTO  BY  STEVEN  VOTE 


See  your  global  infrastructure  in  a  new  way. 


Only  Riverbed  makes  your  remote  offices  feel  local. 

Most  applications  and  protocols  were  designed  to  run  locally.  Over  a  WAN,  they  grind  to  a  halt. 
That's  why  Riverbed  developed  a  solution  built  on  radically  new,  patent-pending  technology  that 
actually  delivers  LAN-like  performance  across  your  WAN.  Even  for  chatty  applications  that  can 
break  down  across  the  most  robust  networks. 

Riverbed's  proven  solution  allows  your'  enterprise  to  consolidate  IT  infrastructure  at  the  data 
center,  optimize  your  bandwidth  usage,  and  still  deliver  applications  and  data  over  your  WAN  - 
at  speeds  that  make  remote  data  feel  local. 

M/o'ra  cn  rnnfirlant  thnt  Piworhorl  rnn  imnmt/n  s/nitr  \A/AM  nnnlimtinn 

w 

[I 

www.riverbed.com/CIO  today. 


-RIVERBED 


©2005  Riverbed  Technology,  Inc.  All  rights  reserved.  Riverbed  Technology,  Riverbed,  Steelheod  ond  the  Riverbed  logo  ore  trademarks  or  registered  trademarks  of  Riverbed  Technology,  Inc. 


Governance 


STATE  STREET'S  GOVERNANCE  HIERARCHY 

How  strategy  is  set;  decisions  made  and  executed 


\  OPERATING  GROUP 


I 


Membership:  CEO  Ronald  Logue,  CIO  Joseph  Antonellis,  the  vice  chairman,  the  CFO, 
the  head  of  HR  and  the  three  EVPs  who  lead  State  Street’s  business  units 

Meets:  Weekly 

Mission:  Create  business  strategy. 


2  EXECUTIVE  STEERING  GROUP 


I 


Membership:  Similar  to  the  Operating  Group,  less  vice  chairman  and  two  EVPs 
Meets:  Once  or  twice  a  month 

Mission:  Deal  with  issues  related  to  both  IT  and  operations.  Make  decisions  on  projects  that 
cost  upto  $10  million. 


3 

3 

OPERATIONS  COUNCIL 

Membership:  CIO  Antonellis  and  his 
six  direct  reports 

Meets:  Twice  a  month 

Mission:  Discuss  IT  best  practices, 
cross-enterprise  projects  and  IT 
change  management.  Make  decisions 
on  projects  that  cost  up  to  $5  million. 

■ _ 

Membership:  EVPs  of  U.K.  investments 
and  global  service,  leaders  from  business 
units,  the  head  of  HR 

Meets:  Twice  a  month 

Mission:  The  operational  arm  of  the  Execu¬ 
tive  Steering  Group  implements  Steering 

Group  decisions  and  guarantees  business¬ 
wide  alignment. 

zz 

OFFICE  OF  STRATEGY  AND  GOVERNANCE 


Membership:  IT  and  product  managers  from  three  business  divisions 
Meets:  Weekly 

Mission:  Review  new  technology,  establish  the  enterprise  architecture  and  set  tech 
standards  based  on  the  IT  Council’s  decisions. 


Membership:  EVP  of  Business  Project  Services  Sharon  Donovan  Hart,  sales,  HR  and  client 
services  managers 

Meets:  Twice  a  month 

Mission:  Established  for  the  Deutsche  Bank  acquisition  and  responsible  for  the  day-to-day 
details  of  the  integration. 


asset  management  and  global  markets.  This 
is  the  group  that  greenlighted  the  Deutsche 
Bank  acquisition.  It  meets  weekly  to  discuss 
strategy.  A  subgroup  of  this  committee,  called 
the  Executive  Steering  Group  (with  nearly 
the  same  roster),  meets  once  or  twice  a  month 
to  talk  specifically  about  IT  and  operations. 
(See  “State  Street’s  Governance  Hierarchy,” 
this  page.) 

The  next  level  down  is  the  IT  Council, 
composed  of  Antonellis  and  his  six  direct 
reports.  This  group  convenes  twice  a  month 
to  discuss  IT  best  practices,  cross-enterprise 
projects  and  IT  change  management. 

Below  that  is  an  Office  of  Strategy  and 
Governance,  made  up  of  IT  and  product 
managers  from  each  of  State  Street’s  three 
business  divisions,  which  reviews  and  stud¬ 
ies  new  technologies,  establishes  the  enter¬ 
prise  architecture  blueprint  and  maintains 
the  systems  development  methodology. 

Finally,  an  Integration  Project  Manage¬ 
ment  Office,  established  for  the  Deutsche 
Bank  acquisition,  functions  as  something  of  a 
fractal  of  the  whole  structure,  with  managers 
from  each  discipline— including  IT,  sales, 
human  resources  and  client  services— work¬ 
ing  out  the  various  and  sundry  details  of  each 
component  of  the  integration. 

The  rule  of  thumb  at  State  Street  is  that 
any  decision  involving  up  to  $5  million  goes 
up  to  the  IT  Council.  Decisions  that  involve 
up  to  $10  million  rise  to  the  Executive  Steer¬ 
ing  Group.  Decisions  $10  million  or  more  are 
handled  by  the  Operating  Group.  Strategy 
trickles  down. 

“At  the  very  top  of  the  house,  there’s  an 
expectation  of  cost  reduction.  And  the  way 
to  achieve  that  is  to  make  sure  that  you  have 
synergy  with  your  applications  and  your 
platforms,”  Antonellis  says  about  the 
Deutsche  Bank  integration.  “You  drop  down 
to  the  IT  Council,  the  first  level,  and  they 
said,  ‘Let’s  go  out  and  inventory  everything 
we  have.’”  From  there,  the  business  experts 
in  the  Integration  Project  Management 
Office  compared  and  contrasted  specific 
Deutsche  Bank  features  against  what  State 
Street  already  had,  looked  for  redundancies 
and  decided  when  a  Deutsche  Bank  func¬ 
tionality  should  be  brought  over  and  built 
into  State  Street’s  product  set. 

Before  former  State  Street  CIO  John  Fiore 
started  to  wrap  his  arms  around  IT  gover¬ 


nance  in  2001,  decisions  were  made  “in  each 
business  silo,”  says  Antonellis,  who  was 
executive  vice  president  and  head  of  Insti¬ 
tutional  Investor  Services  before  becoming 
CIO.  “There  was  little  integration.  Redun¬ 
dancy.  Too  many  platforms.  You  interacted 
with  staff  based  on  personal  relationships.  If 
I  happened  to  know  that  my  brethren  over  in 
global  asset  management  were  utilizing 
some  software,  I  would  pick  up  the  phone. 
Now  it’s  much  more  prescribed.  There’s  a 
certain  amount  of  flexibility,  but  now  we 
have  standards.” 


Not  that  IT  governance  is  all  about  stan¬ 
dardization  and  centralization.  “You  have 
to  be  careful,”  Antonellis  warns.  “You  can’t 
be  too  structured  and  too  rigorous  or  you’ll 
stifle  innovation,  and  then  you  won’t  be 
nimble.”  The  point  of  all  these  committees 
isn’t  to  determine  that  the  company  should, 
for  example,  standardize  on  IBM’s  Web¬ 
Sphere  for  Web  services,  he  says.  It’s  to 
have  processes  in  place  to  decide  if  the 
company  needs  a  standard.  And  if  so,  who 
will  choose  it  (that  is,  decision  rights). 

One  size  does  not  fit  all.  “Depending  on 


86 


MARCH  15,  2005  |  www.cio.com 


Microsoft 

Your  potential.  Our  passion." 


When  you  move  a  big  chunk  of 
your  day  from  troubleshooting  to 
planning  and  implementing,  it  makes 
you  really  excited  to  come  to  work." 


Heather  Baker 

IT  Director.  K2  SDorts 


■'f ' !  ; 

•  % 

■  '  h 


I 


NAME 


Ms.  2400  Hours 
Saved  this  Year 
Through  Centralized 
Management 


A 


■ 


Make  a  name  for  yourself  with  Windows  Server  System™  Microsoft  Windows  Server  System  makes 
it  easier  to  manage  the  infrastructure  at  K2  Sports.  Here's  how:  By  using  Windows  Server™ 2003 
with  Active  Directory®and  Exchange  Server  2003,  K2  Sports  consolidated  from  17  to  13  servers 
and  now  manages  all  of  its  end  users  from  one  location.  This  reduced  the  amount  of  time  their 
IT  staff  spends  on  administration  by  40  percent,  and  gave  them  time  to  plan  and  implement  new 
projects.  Software  that's  easier  to  manage  is  software  that  helps  you  do  more  with  less.  Get  the 
full  K2  Sports  story  at  microsoft.com/wssystem 


Microsoft 


Windows 
Server  System 


CO  2004  Microsoft  Corporation.  All  rights  reseN^d.  Microsoft,  Active  Directory,  Windowllj^yindows  logo,  Windows  Server,  Windows  Server  System, 
of  Microsoft  Corporation  in  the  United  States  a  or  c^IiT^i^s.  K  2,  K  2  Sportsf*5rothe  K2  triangle  logo  are  registered  trademarks  of  the  K 


Governance 


your  organization,  you  create  the  frame¬ 
work  for  IT  governance— how  centralized 
you  want  to  be,  how  many  standards  and 
requirements  you  want  to  impose  on  people, 
and  how  [IT]  interacts  with  the  business 
units,”  Antonellis  says.  The  structure  needs 
to  be  created  based  on  the  culture  of  the 
company.  For  instance,  he  says,  “Some  peo¬ 
ple  would  never  impose  IT  on  the  CEO,  but 
our  CEO  loves  it.  He  used  to  be  an  assembler 
programmer  in  his  first  job  out  of  college. 
He  wants  to  be  involved  in  IT  decisions.” 

Weill  agrees  that  there’s  no  one  right 
way  to  do  governance.  “The  structure  is  not 


important,”  he  says.  “What  you  really  care 
about  is  decision  rights:  Who  has  the  right 
to  make  decisions?” 

In  the  Deutsche  Bank  acquisition,  State 
Street  had  a  ready-made  governance 
model:  it’s  own.  Because  it  was  acquiring  a 
business  unit  (not  merging  with  another 
business),  and  because  the  CIO  of  the 
acquired  business  unit  was  staying  at 
Deutsche  Bank,  it  was  clear  from  the  get- 
go  whose  governance  model  would  prevail 
(Antonellis’s).  With  clearly  defined  deci¬ 
sion-making  committees  in  place,  and  clear 
criteria  for  how  decisions  moved  up  and 
down  the  hierarchy  based  on  the  expense 
involved,  State  Street  executives  already 
knew  who  would  be  making  the  critical 


k 


State  Street  Executive  VP 
SHARON  DONOVAN 
HART  was  the  top  liaison 
between  the  business- 
people  and  the  technolo¬ 
gists  during  the  Deutsche 
Bank  integration. 


decisions  and  how  they  would  be  making 
them.  Now  they  just  had  to  do  it. 

The  Execution: 
Dismantlinga 
$1.5  Billion  Giant 

Nobody  saw  more  decisions  pass  go  than 
Sharon  Donovan  Hart.  As  State  Street’s 
executive  vice  president  of  business  project 
services,  Donovan  Hart  was  in  charge  of  the 
integration  project  management  office,  and, 
as  such,  was  the  top  liaison  between  the  busi¬ 
nesspeople  and  the  technologists.  Those  900 
apps  that  State  Street  had  to  ferret  through? 
She  looked  at  them  all.  The  conversion  of 
11,000  portfolios?  She  was  there,  helping 


decide  which  clients  would  be  brought  onto 
State  Street’s  platforms  and  when.  Yet  when 
she  describes  her  approach,  she  speaks  less 
of  governance  and  more  about  how  a  clear 
strategy,  provided  by  the  executive  team, 
helped  her  group  make  decisions. 

“When  we  go  into  Deutsche,  there  are  cer¬ 
tain  things  that  are  not  on  the  table  for  a  deci¬ 
sion— we  just  want  to  do  those,”  says 
Donovan  Hart,  one  of  Antonellis’s  six  direct 
reports  and  a  20-year  State  Street  veteran. 
These  were  the  criteria  that  she  received  from 
the  IT  Council,  based  on  the  objectives  estab¬ 
lished  by  the  Executive  Steering  Group: 

“Anything  that  relates  to  us  having  to 
scale  State  Street’s  existing  systems,  we’ll 
put  IT  resources  against  that. 

“Anything  that  relates  to  our  ability  to 
convert  these  portfolios,  that’s  a  priority. 

“Any  project  that  relates  to  retiring  a  sys¬ 
tem  because  of  the  costs  associated  with  it, 
that’s  a  priority,”  Donovan  Hart  says. 

Everything  else— a  particular  feature 
requested  by  a  client,  for  instance,  or  a 
change  that  might  make  pensions  run  more 
smoothly— was  open  for  discussion. 

The  tricky  part  was  that  there  wasn’t 
necessarily  anything  wrong  with  any  of 
Deutsche  Bank’s  applications.  This  was 
where  governance  was  critical.  For  exam¬ 
ple,  Deutsche  Bank  had  a  sparkling-new 
compliance  application,  but  it  had  been 
rolled  out  to  only  six  clients.  Should  it  be 
adopted  broadly,  supported  on  a  limited 
basis  or  simply  yanked? 

“The  decision  that  people  had  to  make 
is,  OK,  this  application  is  brand  new,  but 
they  only  have  six  clients  on  it,  and  we  have 
our  own  compliance  systems,”  Antonellis 


WHAT  STATE  STREET  BOUGHT 


Date:  Jan.  31, 2003 
Cost:  $1.5  billion 
Customers:  More  than  600 
Portfolios:  11,000 

Applications:  900 

(all  but  a  handful  now  “retired”) 

Employees:  3,000  (1,000  now  laid  off) 


DEUTSCHE  BANK 
GLOBAL  SECURITIES 
SERVICES 


WHAT  STATE  STREET  GOT 


52%  increase  in  assets  under  custody  ($9.4  trillion  at  end 
of  year  2003,  compared  to  $6.2  trillion  at  end  of  year  2002) 

88%  of  the  revenue  from  the  acquired  business 

33%  increase  in  number  of  portfolios  serviced 

47%  increase  in  monthly  transaction  volume 


88 


MARCH  15,  2005 


www.cio.com 


PHOTO  BY  STEVEN  VOTE 


LEADERSHIP  IN  A  HIGHLY 

STRUCTURED  GOVERNANCE  ENVIRONMENT 


CIO:  Who  is  ultimately  responsible  for  any  given  decision? 

State  Street  CIO  Joseph  Antonellis:  “The  CIO.  The  buck  stops  here. 
I  can’t  hide  from  it.  I  can  have  a  structure  in  place  to  help  me  make 
the  right  decisions,  and  I  could  probably  point  to  other  people  if  I 
make  a  bad  decision.  And  if  I  make  a  good  decision,  I  can  give  them 
credit.  But  in  the  end,  you’ve  gotta  be  able  to  pull  the  trigger.” 


explains.  “Yes,  that  Deutsche  Bank  applica¬ 
tion  may  have  the  functionality,  but  it  would 
take  time  and  money  not  only  to  convert  the 
Deutsche  Bank  clients  to  it,  but  then  to  con¬ 
vert  our  own  client  base.  We  had  to  decide.” 

Based  on  the  parameters  that  had  been 
set  by  the  executive  groups— the  cost¬ 
cutting  mantra— the  integration  project 
management  office  Deutsche  Bank’s  decided 
to  retire  compliance  application.  The  alter¬ 
native,  while  it  might  have  seemed  logical, 
would  have  resulted  in  redundancies. 

“If  we  didn’t  have  clear  focus,”  Donovan 
Hart  says,  “we  could  have  been  spending  a 
lot  of  time  building  out  product  feature  sets— 
because  that  would  have  been  the  natural  pull 
from  the  business  side— and  lost  sight  of  the 
need  to  convert  and  retire  systems.” 

In  the  end,  of  the  80  major  systems  that 
were  part  of  the  Deutsche  Bank  acquisition, 
State  Street  brought  over  only  three  (and  is 
still  deciding  on  a  fourth)— a  feat  that  was  pos¬ 
sible  only  because  dismantling  the  $1.5  bil¬ 
lion  giant  had  been  defined  as  a  strategic  goal. 

The  Decision  Point: 
Balancing  Service 
with  Costs 

When  banking  acquisitions  go  bad,  no  one 
ever  points  and  says,  “Aha!  Poor  IT  gover¬ 
nance.”  Instead,  Tower  Group’s  Kopp  says, 
acquisitions  usually  stumble  because  cus¬ 
tomers  see  a  decline  in  service.  So  here  was 


cost  reduction,  the  business  goal  was  to 
retain  90  percent  of  the  Deutsche  Bank  rev¬ 
enue.  To  do  this,  the  bank  had  to  make  sure 
not  to  let  service  slip. 

It  was  a  tense  time,  complicated  by  the 
fact  that  the  competition  was  watching,  try¬ 
ing  to  steal  Deutsche  Bank  customers.  “[The 
competition  was]  underbidding,”  says 
Antonellis,  “because  their  intent  was  less  on 
winning  business  and  more  on  taking  a 
competitor  out  of  the  marketplace.” 

The  business  side  fought  back  (at  least  in 
one  case)  by  matching  the  low  bids.  IT  con¬ 
tributed  by  making  strategic  decisions  about 
when  to  convert  customers  to  State  Street’s 
platform,  the  better  to  keep  them  happy. 

The  bulk  of  the  Deutsche  Bank  customers 
were  in  the  United  States,  where  conversions 
were  simplest  (for  regulatory  reasons).  So  the 


cross-functional  team  on  the  front  lines  of  the 
conversions)  decided  to  focus  first  on  them. 
Once  that  decision  was  made,  Donovan  Hart’s 
group  had  to  hammer  out  specific  “flights,”  or 
groups  of  portfolios,  that  would  be  moved 
over  on  a  given  weekend.  “Instead  of  Client  A 
just  going  on  that  weekend,  our  flight  might 
consist  of  Clients  A,  B,  C,  D,  E  and  F,”  she  says. 
“It  could  have  been  half  a  dozen,  or  it  could 
have  been  120,  based  on  the  size  of  the  port¬ 
folios  we  needed  to  convert.” 

When  there  were  two  similar  customers 
with  the  same  number  of  holdings,  the 
regional  business  managers  were  called  in  to 
help  prioritize.  “We’d  say,  based  upon  the  size, 
the  revenue,  the  client’s  willingness,  we  need 
to  make  a  decision,”  Donovan  Hart  says.  Part 
of  the  decision  took  into  account  the  fact  that 
the  clients  were  dividing  into  groups  of  their 


HOOK  UP  WITH 

The  new  Dell/EMC  AXIOOi  - - 

storage  array 


OUT  HANG  UPS. 

l 

simply  hooks  up  to  a  standard 
Gigabit*  Ethernet  network. 


*•  The  new  AXIOOi  iSCSI  storage  array 
is  built  off  the  same  SAN  technology  as 
the  AX100,  which  earned  InfoWorld's  2005 
Technology  of  the  Year  Award. 

*■  This  IP  SAN  solution  is  as  easy  to  install 
as  a  server,  with  the  power  of  a  SAN. 


>-  Up  to  50%  less  expensive  than  a  Fibre  Channel  SAN. 


STORAGE  SIMPLIFIED  -  DELLS  NEW  AXIOOi 


GET  MORE  OUT  OF  STORAGE. 

Click  www.dell.com/storage14 


GET  MORE  OUT  OF  NOW. 
Call  1.877.520.DELL 

toll  bee 


*■  Manage  this  storage  box  from  any 
web  browser,  from  anywhere. 


*•  Dual  storage  processors  maximize 
your  data  availability. 


'This  term  does  not  connote  an  actual  operating  speed  of  IGB/sec.  For  high-speed  transmission,  connection  to  a  Gigabit  Ethernet  server  and  network  infrastructure  is  required  Dell  cannot  be  held 
responsible  for  errors  in  typography  or  photography  Dell  and  the  Dell  logo  are  trademarks  of  Dell  Inc  EMC  is  the  registered  trademark  of  EMC  Corporation.  ©  2005  Dell  Inc  All  rights  reserved 


Hotel  del  Coronado 


Join  us. 

Call  800.355.0246  or  www.cio.com/, conferences 


Presented  by 


The  Resource  for  Information  Executives 


own— those  who  were  going  through  with 
the  conversion  and  those  who  were  thinking 
about  taking  their  business  elsewhere. 

One  such  customer  was  Vyvian  Heath, 
manager  of  pension  and  investments  for 
Kaiser  Permanente.  She  put  out  an  RFP, 
and  one  of  the  bids  she  received  was  con¬ 
siderably  lower  than  any  other.  State  Street 
agreed  to  match  it,  and  she  took  it  up  on  its 
offer  largely  because  she  wanted  to  con¬ 
tinue  working  with  her  key  contacts  at 
Deutsche  Bank,  who  had  stayed  on  with 
State  Street. 

But  it  was  State  Street’s  IT  systems  that 
not  only  kept  Heath  a  customer  but  also 
made  her  a  happy  one.  She  notes  that  now 
she  can  crunch  numbers  in  better  ways  and 
receive  more  reports  electronically  than  she 
could  with  Deutsche  Bank.  Plus,  the  con¬ 
version  process  has  been  painless  because 
her  points  of  contact  didn’t  change. 

That’s  exactly  the  kind  of  thing  that  State 
Street  executives  like  to  hear— and  are,  in 
fact,  hearing.  By  the  end  of  2004,  State 
Street  had  brought  over  so  many  clients 
that  the  company  had  increased  the  total 
number  of  portfolios  it  was  servicing  by 
33  percent  and  its  monthly  transaction 
volumes  by  47  percent.  Eighty-five  percent 
of  client  conversions  were  complete.  All 
that,  and  State  Street  has  kept  88  percent 
of  the  revenue. 

For  Antonellis,  that  was  close  enough. 

The  Faith:  The  Business 
of  IT  Is  Business 

Although  Antonellis  can’t  measure  exactly 
how  much  IT  governance  helped,  the  fact 
that  it  did  is  with  him  a  matter  of  faith. 

“If  we  didn’t  have  an  IT  governance 
process,”  says  Antonellis,  “we  wouldn’t 
have  an  enterprise  architecture;  we  wouldn’t 
have  standards;  we  wouldn’t  have  best- 
practice  procedures.  You  could  very  well 
envision  [in  the  extreme]  a  group  of  people 
saying,  ‘Let’s  build  it  all  out’”— meaning,  in 
this  case,  that  each  Deutsche  Bank  customer 
would  have  had,  in  effect,  his  own  person¬ 
alized  suite  of  enterprise  IT  functions.  The 
business  driver,  Antonellis  says,  would 
have  been,  ‘“Let’s  get  this  business  on  board 
and  keep  the  clients  happy.’ 

“And  then,”  Antonellis  continues,  “you 
build  a  whole  new  silo  parallel  to  the  bank’s 


Governance 


existing  silos— which,  quite  frankly,  is  what 
happens  in  many  acquisitions.”  If  the 
Deutsche  Bank  acquisition  had  been  han¬ 
dled  like  that,  State  Street  might  even  have 
surpassed  its  goal  of  retaining  90  percent  of 
customer  revenue— but  at  what  operating 
cost  going  forward? 

It  remains  to  be  seen  whether  even  world- 
class  IT  governance  will  be  enough  to  get 
State  Street  back  on  track.  During  the  com¬ 
pany’s  third-quarter  earnings  call  last  Octo¬ 
ber,  CEO  Ronald  Logue  announced  another 
round  of  layoffs  (425  employees  this  time), 
which  he  said  would  help  the  company  trim 
$50  million  more  from  its  expenses.  The 
company  had  spent  another  $16  million  in 
that  third  quarter  on  merger  and  integration 
costs  related  to  Deutsche  Bank,  and  execu¬ 
tives  had  to  deny  rumors  that  State  Street 
might  soon  be  the  company  being  acquired, 
rather  than  doing  the  acquiring. 

Still,  Antonellis  continues  to  look  for  effi¬ 
ciencies,  and  he’s  been  asked  to  roll  out  his 
governance  model  to  the  operations  side  of 
the  house. 

“I’m  not  a  technologist,  I’m  a  busi¬ 
nessperson,”  Antonellis  says.  For  too  many 
years,  the  business  cast  IT  in  the  role  of 
“order-takers”  and  said,  “‘We  make  the  deci¬ 
sions,  and  you  go  execute.’” 

Now,  that’s  no  longer  the  case. 

“Good  IT  governance  brings  IT  into  the 
strategy  of  the  company,  creates  solution 
sets,  and  then  works  to  rationalize  your 
processes. 

“To  me,  IT  governance  is  good  business 
process  applied  to  business  decisions,”  says 
Antonellis. 

And  there’s  nothing  metaphysical  about 
that.  E0 


Sarah  D.  Scalet,  senior  editor  for  CSO  (a  CIO  sister 
publication),  can  be  reached  at  sscalet@cio.com. 


Rules  for  Governance 


Imagine  giving  businesspeople  a  single 
document  that  explains  how  IT  works  and 
what  they  need  to  do  to  get  a  project 
approved.  Could  be  a  great  tool  for  build¬ 
ing  relationships  with  the  business.  We 
have  such  a  document,  courtesy  of  BILL 
GODFREY,  CIO  at  Dow  Jones.  It’s  linked 
to  the  online  version  of  this  article  and  can 
also  be  found  at  www.cio.com/031505. 

cio.com 


PREMIUM  PERFORMANCE. 
NON-PREMIUM  PRICE. 


INTRODUCING  DELL'S  POWEREDGEH855 
BLADE  SERVERS  WITH  THE  PERFORMANCE 
OF  INTEL®  XEON™  PROCESSORS. 

Affordable  Dell  blades  boast  plenty  of  power, 
excellent  density  and  are  highly  scalable  thanks  to 
Intel®  Xeon“  Processors.  And  all  in  a  mere  1 1 .25"  of 


space.  Now  that’s  big. 


GET  MORE 
OUT  OF  NOW. 


www.dell.com/blades22 

Dell,  the  Oell  logo  and  PowerEdge  are  trademarks  of  Dell  Inc.  Intel,  Intel 
Inside,  the  Intel  Inside  logo  and  Intel  Xeon  are  trademarks  or  registered 
trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States 
and  other  countries.  ©  2005  Dell  Inc.  All  rights  reserved. 


www.cio.com  |  MARCH  15,  2005  91 


We  are  known  for  our  ancient  civilizations. 

You  should  see  our 
state-of-the-art  delivery  centers. 


For  nearly  10  years 

Softtek's  Near  Shore  Outsourcing  Model 

has  proven  to  be  convenient  and  cost  effective. 

Our  highly  qualified  professionals  have  provided 
Application  Related  Services,  IT  Infrastructure  Support 
as  well  as  Business  Process  Outsourcing 

to  Fortune  50  companies. 

MtKtCO 

SO  tftfiK. 

Mexican  Outsourcing  Industry  Near  Shore®  Outsourcing  Services 

www.mexiconearshore.com www.softtek.com/cio 


Softtek 


USTtrf  TO  THt  VAUft  Of  f*£AK_SHOKE  ATTZtfPttfq  OUK.  StSStOrfS  ATTHt  SAKTtfEK, OUTSOUKCttfq  SUMMfT  Ot*  ATKJP 


ILLUSTRATIONS  BY  PETER  BENNETT 


ESSENTIAL 


FROM  INCEPTION  TO  IMPLEMENTATION-I.T.  THAT  MATTERS 


technology 

Edited  by  Christopher  Lindquist  gjjj 


ctindquist@cio.com 


Application 
monitoring 
tools  can  help 
companies  tune  up 
their  engines 


Performance  Enhancers 

BY  CINDY  WAXER 

APP  PERFORMANCE  |  Marshall  &  Swift  may  be  situated  in  sunny  Los  Angeles,  but 
the  company  barely  averted  disaster  last  August  when  Hurricane  Charley  ripped  through 
southwest  Florida. 

Some  of  the  nation’s  largest  insurance  companies  rely  on  Marshall  &  Swift’s  200-plus 
servers  to  process  claims  and  calculate  the  costs  of  rebuilding  commercial  and  residential 
properties.  Within  one  month  of  the  hurricane  making  landfall,  the  number  of  claims  jumped 
from  20,000  to  a  whopping  180,000.  This  sudden  surge  in  server  utilization  could  have 
spelled  disaster.  Fortunately,  Marshall  &  Swift  had  turned  to  ProactiveNet  just  a  couple  of 
months  earlier. 

ProactiveNet’s  flagship  product,  ProactiveNet  6.0,  is  a  performance  measurement  and 
analysis  tool  that  identifies  when  an  application  or  system  is  going  outside  of  its  normal 
parameters  and  pinpoints  the  most  likely  source  of  the  problem.  In  the  case  of  Marshall  & 
Swift,  ProactiveNet  alerted  the  company’s  IT  department  to  an  improper  balance  of  appli¬ 
cation,  Web  and  database  servers.  Some  servers  were  being  underutilized  while  others  were 
being  overburdened,  thereby  causing  degradations  in  overall  system  performance. 

Using  ProactiveNet,  Marshall  &  Swift  began  the  painstaking  process  of  monitoring  the 


www.cio.com  |  MARCH  15,  2005 


9  3 


essential  technology 


usage  patterns  of  each  server  and  identify¬ 
ing  peak  utilization  periods.  Although  the 
process  took  months  to  perfect,  Geoff  Gar- 
low,  Marshall  &  Swift’s  director  of  operations, 
says  it  prepared  the  company  for  the  deluge 
of  claims  precipitated  by  Hurricane  Charley. 

“Without  ProactiveNet,  we  would  not 
have  survived  [the  onslaught  of  claims],” 
says  Garlow.  “We  were  able  to  actively  move 
certain  servers  around  to  ensure  that  all 
claims  were  processed  in  a  timely  manner.” 

Marshall  &  Swift  isn’t  the  only  company 
that’s  taking  a  chance  on  today’s  string  of 
application  performance  management 
(APM)  solutions.  An  increasing  number  of 
companies  are  banking  on  APM  tools  to 
improve  application  availability  and  per- 


says  Garbani,  noting  that  the  task  of  setting 
standards  and  thresholds  for  what  consti¬ 
tutes  “normal”  application  behavior  can 
entail  months  of  adjustments  and  minor 
modifications. 

Power  Drain 

Despite  these  difficulties,  businesses  can  no 
longer  afford  to  let  outages  and  degradations 
go  unnoticed.  According  to  research  com¬ 
pany  Gartner,  application  problems  are  the 
single  largest  source  of  downtime,  causing 
40  percent  of  annual  downtime  hours  and 
32  percent  of  average  downtime  costs. 

Companies  also  pay  for  performance 
problems  in  other  ways.  Lopsided  server 
utilization  wasn’t  the  only  price  Marshall 


Forrester’s  Garbani  warns  that 
companies  shouldn’t  expect  to  see 
instant  results  from  application 
performance  management  tools. 


formance,  enforce  service-level  agreements 
(SLAs),  enhance  end  user  experience  and 
cut  infrastructure  costs  through  improved 
capacity  planning.  In  fact,  Jean-Pierre  Gar¬ 
bani,  vice  president  for  computing  systems 
at  Forrester  Research,  estimates  that  more 
than  60  percent  of  Fortune  2000  compa¬ 
nies  are  using  some  variation  of  an  APM 
product  today. 

At  costs  ranging  from  $100,000  to 
$500,000  for  a  two-year  license,  however, 
Garbani  warns  that  companies  shouldn’t 
expect  to  see  instant  results  from  APM  tools. 
Implementation  periods  can  span  from  days 
to  months,  depending  on  the  complexity  of 
a  situation.  And  while  there  are  out-of-the- 
box  monitoring  tools  for  applications  from 
big-name  vendors  such  as  SAP  and  Oracle, 
Garbani  says  that  companies  with  custom- 
built  applications  will  likely  have  to  rely  on 
highly  configurable  APM  tools  from  niche 
players.  But  that’s  not  all.  “Understanding 
how  to  set  parameters  for  application  moni¬ 
toring  software  is  the  biggest  challenge,” 


&  Swift  was  paying  for  poorly  managed 
applications,  for  instance.  Prior  to  deploy¬ 
ing  ProactiveNet,  the  company  was  doling 
out  $220,000  a  month  to  Qwest  Commu¬ 
nications  to  monitor,  manage,  and  host  its 
servers  and  applications.  Despite  these 
high  costs,  Garlow  says,  Marshall  &  Swift’s 
clients  were  constantly  complaining  of 
inexplicable  outages,  annoying  lag  times 
and  the  inability  of  some  applications  to 
support  multiple  end  users.  As  a  result, 
the  company  was  paying  service-level 
agreement  (SLA )  penalties  that  sometimes 
exceeded  $20,000  a  month. 

By  leveraging  ProactiveNet’s  capability 
to  provide  real-time  analyzed  performance 
data  and  revising  its  policies  and  proce¬ 
dures,  Garlow  says  Marshall  &  Swift  now 
delivers  99.7  percent  SLA  availability  and 
has  eliminated  practically  all  financial 
penalties  from  application  outages  and 
performance  degradations.  With  an  in- 
house  monitoring  tool  in  place  and  five 
new  employees  to  manage  the  system,  the 


When  Real-Time 
Is  Too  Slow 

Sometimes,  simply  monitoring  what's 
going  on  in  your  existing  systems  isn't 
enough;  sometimes  you  need  to  look 
into  the  future.  And  thanks  to  simulation 
modeling  technology,  some  IT  execs 
now  have  an  application  performance 
crystal  ball. 

Just  ask  Tom  Martin,  vice  president 
of  strategic  performance  testing  at 
J.P.  Morgan  Chase.  Martin  recently 
spearheaded  the  rollout  of  a  new  teller 
system.  Prior  to  deployment,  he  met  with 
the  vendor  to  determine  system  require¬ 
ments,  and  the  vendor  recommended 
the  purchase  of  a  larger,  balf-million- 
dollar  server. 

Desperate  for  a  second  opinion, 

Martin  brought  in  HyPerformix  for 
its  simulation  modeling  technology. 
Through  data  collection  and  analysis, 
the  HyPerformix  software  built  a  virtual 
topology  of  J.P.  Morgan  Chase’s  entire 
infrastructure  and  simulated  how  the 
teller  application  would  perform  across 
the  infrastructure,  under  a  variety  of 
circumstances. 

Martin  got  the  answer  he  was  after. 
HyPerformix's  modeling  technology 
determined  that  servers  significantly 
smaller  (and  cheaper)  than  the  one 
recommended  by  the  vendor  would 
still  meet  performance  requirements. 

At  a  price  tag  ranging  from  $85,000 
to  $500,000  for  a  two-year  license 
(depending  on  the  number  of  users), 
HyPerformix  is  best  suited  for  companies 
about  to  make  significant  changes  to 
their  IT  infrastructures.  It  isn't  cheap, 
but  it  can  provide  insight  into  questions 
that  typical  performance  monitoring 
tools  can’t  deliver. 

“The  real-time  monitoring  tools  are 
real  nice,  but  they  won't  help  you  answer 
‘what  if  scenarios,"  says  Martin,  -C.  W. 


94 


MARCH  15,  2005  |  www.cio.com 


EMC2 

where  information  lives' 


Fr:  a  wide  range  of  information  management  challenges 


To:  a  wide  range  of  software  to  overcome  them 


EMC  SOFTWARE  GIVES  YOU  MORE  OPTIONS,  MORE  CHOICES.  You  have  all 
kinds  of  information  management  challenges.  EMC  has  the  software  to  help  you  overcome 
them.  Whether  you’re  dealing  with  storage  management  or  content  management.  So  you  £$jj 
manage  growth,  protect  and  recover  information,  achieve  compliance  and  business  continu 
ity,  and  keep  everything  running  smoothly.  And  EMC  software  works  with  your  systems  and 
software.  Now,  and  in  the  future.  To  learn  more,  visit  www.EMC.com/software. 


agate 


EMC2,  EMC,  and  where  information  lives  are  registered  trademarks  of  EMC  Corporation.  ©  Copyright  2004,  2005.  EMC  Corporation.  All  rights  reserved. 


essential  technology 


company  is  on  the  cusp  of  extending  its 
SLAs  to  include  weekends,  thereby  broad¬ 
ening  its  revenue  stream.  And  the  com¬ 
pany  estimates  savings  of  $1.2  million  a 
year  in  managed  services  costs  and  con¬ 
sultant  fees. 

Still,  Garlow  warns  that  an  APM  solu¬ 
tion  shouldn’t  be  viewed  as  a  cure-all.  “You 
can  have  the  best  performance  monitoring 
system  in  the  world,  but  if  you  don’t  have 
the  correct  staff  in  place  and  the  correct  pro¬ 
cedures,  then  you’re  just  wasting  your 
money,”  he  warns. 

Ending  Mystery  Crashes 

At  Illinois-based  online  brokerage  Options- 
Xpress,  application  performance  problems 
can  have  a  serious  impact  on  livelihoods. 
Nearly  7,000  options  traders  visit  Options- 
Xpress’s  website  at  any  given  time,  com¬ 
pleting  nearly  20,000  transactions  a  day. 
With  all  this  online  traffic,  the  brokerage’s 
IT  administrators  were  always  up  against 


cate  the  real  source  of  a  problem,  causing 
IT  administrators  to  waste  time  pointing 
fingers  at  vendors.  That  is  until  the  com¬ 
pany  deployed  Identity’s  AppSight  Black 
Box  software  in  late  2002. 

Rather  than  replicate  an  application 
problem,  Identity’s  Black  Box  software 
technology  records  real-time,  forensic  logs 
of  software  and  system  events.  While  the 
application  runs  in  production,  the  soft¬ 
ware  captures  every  system  event  and 
condition  at  every  level,  from  user  inputs 
and  system  configuration  to  code.  Identity’s 
application  support  solution,  AppSight, 
then  organizes  these  logs  into  time- 
synchronized  views  to  pinpoint  the  root 
cause  of  each  problem.  The  system  avoids 
costly  downtime  by  letting  applications 
remain  running,  even  as  problems  are  being 
recorded  and  analyzed. 

Vlad  Karpel,  OptionsXpress’s  vice  pres¬ 
ident  of  IT,  recalls  struggling  to  unlock  the 
mystery  behind  a  troublesome  trading 


By  creating  an  early  warning  system, 
Dow  now  diagnoses  problems  and 
can  take  action  before  business 
interruptions  arise. 


the  clock  when  recreating  troublesome 
applications  offline  in  the  development 
environment. 

“Even  when  we  did  try  to  recreate  the 
problem  a  month  later,  when  it  finally 
reached  the  development  queue,  the  devel¬ 
oper  was  often  unable  to  recreate  the  situa¬ 
tion  just  based  on  the  time  lapse,”  says 
David  Kalt,  president  of  OptionsXpress. 
That’s  because  OptionsXpress’s  applica¬ 
tion  data  is  constantly  being  updated  as  cus¬ 
tomers  perform  trades.  By  the  time  the 
company’s  IT  administrators  would  get 
around  to  exploring  the  problem,  it  would 
be  next  to  impossible  to  recreate  the  same 
production  environment. 

What’s  more:  OptionsXpress’s  reliance 
on  third-party  software  would  often  obfus¬ 


application  that  was  forcing  traders  to 
resubmit  orders:  “At  some  point,  the  appli¬ 
cation  would  just  die  and  then  restart  itself 
on  its  own.” 

Typically,  Karpel’s  IT  team  would  have 
needed  to  recreate  the  entire  application, 
examine  every  line  of  code,  add  tracing 
statements  and  recompile  the  application  to 
identify  the  source  of  the  problem.  However, 
upon  activating  AppSight,  Karpel  quickly 
discovered  that  an  error  in  the  number  of 


Keep  Up  Online 


Technology  Editor  Christopher  Lindquist 
scours  the  best  of  what’s  on  the  Web  when  it 
comes  to  emerging  technology.  Read  his  blog, 

TECH  LINKLETTER,  at  www.cio.com. 


cio.com 


The  typical 
Web  application 
goes  down 


hours 


per  year. 


SOURCE:  Gartner 


SQL  connections  was  rendering  the  appli¬ 
cation  unstable. 

Dow  Chemical  didn’t  want  to  waste  any 
time  discovering  the  source  of  its  applica¬ 
tion  performance  issues.  With  90  percent 
of  its  clients  located  outside  of  its  Midland, 
Mich.,  headquarters,  Dow  needed  a  solu¬ 
tion  that  would  help  the  science  and  tech¬ 
nology  company  track  its  end  users’  online 
experience.  Dow  caters  to  500  locations 
worldwide,  and  its  electronic  channels  gen¬ 
erate  annual  sales  of  $5  billion.  Failing  to 
accurately  monitor  how  applications  per¬ 
form  for  customers— from  Pennsylvania 
to  Finland— was  a  risk  Dow  couldn’t  afford 
to  take. 

International  differences  in  Web  browser 
versions  and  the  multiple  ways  in  which  ISPs 
measure  and  manage  their  network  layers 
forced  Dow’s  geographically  scattered  end 
users  to  endure  a  wide  variety  of  online  expe¬ 
riences.  For  example,  Dow’s  U.S. -based  IT 
department  would  schedule  system  backups 
during  the  early  hours  of  the  morning,  not 
realizing  that  this  was  prime  time  for  cus¬ 
tomers  in  Japan  to  place  online  orders.  As  a 
result,  these  customers  would  experience 
order  processing  delays.  Hoping  to  capture 
a  much-needed,  end-to-end  view  of  its  world¬ 
wide  performance  metrics,  Dow  enlisted 
Mercury  Interactive’s  Service  Level  Man¬ 
agement  solution. 

The  first  step  for  Dow  was  to  examine  per¬ 
formance  trends  and  gather  baseline  infor- 


96 


MARCH  15,  2005  |  www.cio.com 


EMC2 


where  information  lives* 


no  good  idea  unsaid 


no  good  idea  unshared 


EMC®  DOCUMENTUM®  UNITES  YOUR  CONTENT  AND  YOUR  BUSINESS.  It’s  the  only  enterprise 
content  management  solution  proven  to  handle  everything  from  records  to  rich  media  with  one 
integrated  platform.  Helping  everyone  create,  deliver,  and  archive  content  effortlessly.  All  while 
enabling  compliance,  and  reducing  costs  with  a  streamlined  process.  To  learn  how  to  share  your 
ideas,  visit  www.documentum.com.  Or  call  1-800-607-9546. 


EMC 


documentum 


EMC.  EMC2,  Documentum,  and  where  information  Jives  are  registered  trademarks  of  EMC  Corporation.  ©  Copyright  2004.  2005.  EMC  Corporation. 
All  rights  reserved... 


essenti  al  technology 


mation  so  that  the  IT  department  could  set 
realistic  service-level  objectives  for  avail¬ 
ability  and  response  times  for  the  differ¬ 
ent  geographies  they  serve.  The  Mercury 
Service  Level  Management  solution  was 
then  configured  to  send  alerts  when  per¬ 
formance  dipped  near  those  levels.  By  cre¬ 
ating  an  early  warning  system,  Dow  now 
diagnoses  problems  and  can  take  action 
before  business  interruptions  arise.  The 
company  can  also  aggregate  service-level 
data  in  the  form  of  detailed  reports  that 
match  specific  activities  with  select  time 
periods  so  that  administrators  can  pin¬ 
point  activities— such  as  system  backups— 
that  may  cause  delays. 

Gaining  an  end-to-end  perspective  of 
its  online  operations  provides  “a  great 
deal  of  comfort”  to  Dow’s  customers, 
according  to  Mack  Murrell,  Dow’s  senior 
global  director  of  enterprise  IT  opera¬ 
tions  and  services.  But  more  than  simply 
enhancing  customer  satisfaction,  Mer¬ 
cury  has  helped  Dow  increase  the  avail¬ 
ability  of  key  applications  by  35  percent 
vby  reducing  the  amount  of  time  it  takes 
to  isolate,  identify  and  diagnose  these 
application  issues. 

By  delivering  solid  results,  Mercury  is 
just  one  of  countless  vendors  to  establish  a 
foothold  in  today’s  crowded  APM  market. 
Management  stalwarts  such  as  BMC  Soft¬ 
ware  and  Computer  Associates,  up-and- 
comers  such  as  ProactiveNet  and  Wily 
Technology,  and  800-pound  gorillas  such 
as  Hewlett-Packard  and  IBM  all  offer  APM 
solutions  and  services  that  promise  to 
improve  response  times  and  application 
availability.  In  fact,  research  company  IDC 
(a  sister  company  to  CIO’s  publisher)  esti¬ 
mates  performance  management  soft¬ 
ware  revenue  will  experience  a  7.5  percent 
annual  growth  rate  over  the  next  five  years, 
reaching  $3.6  billion  by  2008.  All  of  which 
leaves  companies  with  little  excuse— and 
plenty  of  options— for  eliminating  poorly 
performing  applications. 


Cindy  Waxer  is  a  freelance  writer  based  in  Canada. 
E-mail  feedback  to  Technology  Editor  Christopher 
Lindquist  at  clindquist@cio.com. 


Chips  Inside 
Casino  Chips 


RFID  I  For  the  casino  industry,  tracking  tiny  details  can  reap  huge  rewards.  Sure, 
the  games  of  chance  are  all  tilted  toward  the  house,  but  knowing  how  people  gamble— 
and  what  makes  them  likely  to  gamble  more— is  the  path  to  cushier  profit  margins. 

For  an  eternity,  the  most  common  way  for  casinos  to  track  the  habits  of  their  gambling 
customers  was  through  the  efforts  of  "pit  bosses”:  people  hired  to  watch  and  manually 
track  who  bid  what,  when,  where  and  under  what  conditions.  This  information  could  then 
be  used  to  reward  big  spenders  with  perks  such  as  free  shows,  meals,  rooms  and  other 
amenities.  Plus,  the  pit  bosses  helped  the  casinos  keep  up  with  cheats.  More  recently, 
loyalty  card  systems  have  allowed  casinos  to  track  and  reward  player  behavior  at  slot  and 
poker  machines.  But  inthe  near  future,  radio  frequency  Identification  (RFID)  technology 
will  let  gaming  purveyors  offer  the  sarnie  sort  of  loyalty  programs  at  the  card  tables. 

Gaming  equipment  maker  Shuffle  Master  recently  purchased  a  pair  of  RFID  patents 
that  will  let  the  company  design  systems  to  track  chips  anywhere  inside  a  casino,  from 
the  cage  to  the  card  table.  The  company  already  manufactures  a  popular  line  of  automated 
card  shufflers,  card-based  table  games  and  game  monitoring  products,  including  optical 
card  readers  and  tracking  software.  By  adding  RFID-enabled  chips  to  an  “intelligent  table 
system,”  which  can  monitor  exact  betting  behavior,  casinos  will  get  a  detailed  view  of  how 
customers  gamble.  Better  yet,  it  will  allow  casinos  to  track  such  information  for  just  about 
any  gambler,  not  just  the  high  rollers.  In  addition  to  helping  casinos  build  reward  programs 
designed  to  keep  their  best  customers  coming  back,  it  should  also  keep  the  crooks  at 
bay— say,  by  keeping  counterfeit  chips  off  the  floor,  a  huge  issue  for  many  casinos,  according 
to  Shuffle  Master  President  and  COO  Paul  Meyer. 

The  system  is  expected  to  be  available  for  delivery  to  casinos  later  this  year. 

-Christopher  Lindquist 


1 

98  MARCH  15,  2005  |  www.cio.com 

t 


EMC2 

where  information  lives 

Fr:  managing  your  entire  e-mail  system 


To:  managing  it  while  you  check  your  voice  mail 


EMC2 


legato 


EMC®  LEGATO®  HELPS  YOU  MEET  COMPLIANCE  DEMANDS  WHILE  SAVING  TIME  AND 
MONEY  WITH  A  SMARTER  WAY  TO  MANAGE  E-MAIL.  Now  you  can  handle  everything  from 
indexing  and  archiving  to  backup  and  restore,  with  one  solution.  A  solution  built  to  lower  storage 
costs,  reduce  recovery  time,  and  enable  compliance  with  advanced  search  capabilities.  It’s  wh 
you  need  to  perform  better,  reduce  expenses,  and  go  home  on  time.  Finally.  To  learnjBdreTvTsif 
www.EMC.com/legato.  Or  call  1-888-853*4286. 


EMC,  EMC-',  Legato,  and  where  information  lives  are  registered  trademarks  of  EMC  Corporation.  ©  Copyright  2004,  2005.  EMC  Corporation.  All  rights  reserved. 


essential  technology 


I  HIT 


Services  for  Sale 

IT  may  finally  get  its  chance  to  sell 
Web  service’s 


BY  ERIC  KNORR 

SOFTWARE  |  Nearly  four  years  ago,  I  sat 
at  the  back  of  a  packed  conference  on  some¬ 
thing  new  and  exciting  called  Web  services. 

Web  services  was  going  to  be  bigger  than 
the  Web  itself.  Any  machine  would  be  able 
to  talk  to  any  machine,  and  eventually  most 
apps  would  be  built  from  components  strung 
'together  across  the  Internet.  As  part  of  the 
revolution,  why  shouldn’t  enterprise  cus¬ 
tomers  become  Web  services  vendors? 

But  IT  had  other  priorities,  like  slashing 
costs.  And  Web  services  mainly  became  a 
cheap  integration  method.  But  recently 
those  giddy  early  days  came  rushing  back 
when  I  spoke  with  Infravio  CEO  Jeff  Tonkel 
about  his  X- registry  product,  an  enterprise 
registry  and  repository  for  publishing  and 
even  selling  Web  services. 

Before  Tonkel’s  tenure,  Infravio’s  foray 
into  the  Web  services  market  included  both 
development  and  migration  tools.  Tonkel 
then  moved  the  company  to  the  broker  space, 
where  Web  services  is  an  EAI  replacement 
with  performance  management  and  meas¬ 
urement  capabilities.  But  ultimately,  BEA, 
Cisco,  Microsoft  and  the  other  big  infra¬ 
structure  players  are  going  to  own  this  space. 
Now  Web  services/service-oriented  archi¬ 
tecture  asset  management  is  the  center  of 
Tonkel’s  strategic  vision  for  Infravio. 

As  luck  would  have  it,  travel  giant  Sabre, 
needed  just  such  an  application.  Infravio 
beat  out  its  competitors  because  its  X-registry 


is  similar  to  a  searchable  e-commerce  cat¬ 
alog  that  holds  detailed  descriptions  of 
services  and,  more  important,  provides 
control  and  approval  mechanisms.  Sabre 
decided  it  was  easier  to  set  up  shop  using 
X-registry  than  to  build  a  similar  app  itself. 

Those  who  know  a  little  about  Web  serv¬ 
ices  may  wonder:  Why  not  just  use  Univer¬ 
sal  Description,  Discovery  and  Integration 
(UDDI)?  Mainly  because  UDDI  as  it  stands 
is  really  a  spec  for  a  relatively  simple  direc¬ 
tory  and  (unique  among  the  basic  Web  serv¬ 
ices  standards)  has  lost  traction  rather  than 
gained.  And  the  ebXML  registry  spec,  once 
championed  by  IBM  and  Sun,  never  really 
got  off  the  ground. 

Infravio  has  no  direct  competition  as  yet, 
but  I  imagine  a  few  companies  may  want  to 
enter  the  space.  The  great  thing  about  Web 
services  is  that  it’s  been  a  grassroots  effort 
and  has  lowered  the  cost  of  integration.  The 
problem  with  it  is  that  developers  tend  to 
use  It  as  an  ad  hoc  solution  and  document  it 
poorly— the  key  exceptions  being  the  public¬ 
facing  Web  services,  such  as  those  offered  by 
Google  or  Amazon.com.  True,  what  Google 
and  Amazon.com  offer  is  pretty  simple,  but 
it’s  easy  to  underestimate  the  effort  involved 
in  making  Web  services  reliable,  self- 
service,  scalable  entities  that  pretty  much 
anybody  can  use. 

Throw  in  the  proper  rights  and  permis¬ 
sions  mechanisms,  and  that  philosophy 


The  problem 
with  Web 
services 


techno 
that  deve 


ogyis 

ooers 


tend  to  use  it 
as  an  ad  hoc 
solution  and 
document 
it  poor  y. 


should  also  underlie  Web  services  inside 
the  firewall.  It’s  going  to  take  years  before 
the  swirl  of  draft  Web  services  specs  settles 
down,  if  ever,  and  even  if  it  does  I  can’t  imag¬ 
ine  a  day  when  Web  services  will  run  around 
connecting  with  each  other  dynamically, 
without  human  intervention.  In  human- 
readable  form,  registries  and  repositories 
must  capture  all  the  relevant  information 
needed  to  contract  with  a  Web  service,  or 
much  of  the  Herculean  effort  involved  in 
creating  a  service-oriented  architecture— 
which  expands  organizations’  integration 
possibilities  by  a  magnitude-will  go  to 
waste.  And  these  registries  should  include 
descriptions  understandable  by  business 
types,  not  just  technologists. 

Who  knows?  Once  you’ve  established 
that  sort  of  repository  inside  your  organi¬ 
zation,  it’s  not  that  big  a  step  to  consider 
selling  a  few  select  services  over  the  Inter¬ 
net.  At  the  very  least,  if  you  pitch  it  right,  the 
prospect  might  score  a  few  points  with  the 
business  guys. 


Eric  Knorr  is  executive  editor  at  large  for  InfoWorld. 
He  can  be  reached  at  eknorr@pacbe!l.net. 


00 


MARCH  15,  2005  |  www.cio.com 


What  if  your  assets  had  appreciating  value  instead  of  depreciating  value? 


With  Maximo  Enterprise  Suite,  you  can  see  the  performance  of  all  your  assets  through  a  world-class  work  management 
system.  So  you  can  make  every  stage  of  every  asset  life  cycle  more  valuable.  And  gain  the  information  and  the  control  you 
need  to  more  closely  align  your  transmission,  distribution,  and  generation  assets  with  your  business  strategies.  To  learn  more 
about  our  Strategic  Asset  and  Service  Management  solutions,  visit  maximoenterprise.com/cio  or  call  800-326-5765. 


COUNTED  CONTROLLED  MAXIMIZED 


mro  software 


make  it  all  count 


@2005  MRO  Software,  Inc.  All  rights  reserved.  Maximo  is  a  registered  trademark  and  MRO  Software  is  a  trademark  of  MRO  Software,  Inc. 


FROM  THE  PUBLISHER 


A  Bigger  Threat 
Than  Terrorism? 

Our  education  crisis  is  as  serious  as  anything 
well  face  as  a  nation 

My  recent  "Education  Crisis"  column  hit 

the  mark  with  many  readers.  “It  is  very  sad  to 
see  the  most  technologically  advanced  country 
in  the  world  falling  so  much  behind  in  educating 
its  young  people  in  science  and  engineering,” 
wrote  one  reader  in  a  typical  response. 

Some  readers  commented  that  while  the 
59,000  U.S.  undergraduate  engineering  degrees 
paled  in  comparison  to  the  220,000  undergrad¬ 
uate  engineering  degrees  conferred  in  China  in 
2003,  our  universities  offer  more  rigorous  curricula.  These  readers  were  essen¬ 
tially  saying  that  our  students  are  better. 

Not  so,  said  another  reader  who  got  her  undergraduate  electrical  engineering 
degree  in  China  and  her  graduate  degree  in  the  United  States.  “Based  on  my 
school  experience,  it  is  much  easier  to  get  a  4.0  and  be  the  top  student  in  Amer¬ 
ica,”  she  wrote.  “Even  a  mediocre  student  from  a  mediocre  university  in  China, 
when  they  come  to  the  United  States,  can  be  the  top  student.” 

The  column  also  addressed  the  “triple  whammy”  of  fewer  engineering  stu¬ 
dents,  lower  potential  for  homegrown  innovation,  and  fewer  professors  to  teach 
science,  technology,  engineering  and  math.  How  bad  is  this  situation  for  Amer¬ 
ica’s  future?  “I  would  argue  it  is  a  far  greater  threat  to  our  livelihood  than  any  act 
of  terrorism,”  one  reader  suggested. 

Hmm,  going  too  far?  Not  so,  according  to  a  February  2001  report  by  the  U.S. 
Commission  on  National  Security/21st  Century.  “Americans  are  living  off  the 
economic  and  security  benefits  of  the  last  three  generations’  investment  in  science 
and  education,  but  we  are  now  consuming  capital,”  the  report  stated.  “Our  sys¬ 
tems  of  basic  scientific  research  and  education  are  in  serious  crisis,  while  other 
countries  are  redoubling  their  efforts.  In  the  next  quarter  century,  we  will  likely 
see  ourselves  surpassed.. .unless  we  make  a  conscious  national  commitment  to 
maintain  our  edge.” 

The  clock  is  ticking.  What  are  you  doing  to  help  the  cause? 


102  MARCH  15,  2005  |  www.cio.com 


CL 

< 

X 

o 

cn 

CQ 


>- 

CQ 

o 

h- 

o 

X 

CL 


i 


1 

1 


1 


THE  RESOURCE  FOR  INFORMATION  EXECUTIVES 


president  and  ceo  Walter  Manninen 
editorial  director  Lew  McCreary 
publisher  GaryJ.  Beach 

CXO  MEDIA 

CIRCULATION 

svp,  circulation  Carol  A.  Spach  circ.  dir.  Faith 
Marcello  subscription  svcs.  supervisor  Tina  Pescaro 

CIO  EXECUTIVE  COUNCIL 

GENERAL  MANAGER  Mark  Hall  MANAGING  DIRECTOR 

Martha  Heller  dir.,  external  relations  Karen  Fogerty 

DIR.,  PROJECT  MGMT.  OFFICE  Amy  Field  DIR,,  PROGRAM 

development  David  Lien  consulting  editor  Richard 
Pastore  member  services  managers  Bill  Golden, 
Carrie  Mathews  program  managers  Mindy  Hogan, 
David  Parker,  Jennifer  Riley,  Steve  Rovniak,  Stacy 
Sudan,  Kristina  Sweet,  Greg  Szumowski 
operations  specialist  Lisa  Byron 

EXECUTIVE  PROGRAMS 

svp,  executive  programs  Jennifer  Richards 

VP,  CONFERENCE  MGMT.  Cynthia  Mollus  DIR..  BUSINESS 

development  Chris  Mattoon,  John  Vulopas  dir.,  event 
planning  Amy  Turell  program  ops.  mgr.  Brian  Fuce 
sr.  client  relations  specialist  Sandra  J.  Hughey 
event  planner  Sarah  Yee 

ONLINE  &  INFORMATION  SYSTEMS 

cio  Mark  Hall 

online  e-commerce  mgr.  Andrew  Burrell 
online  production  specialist  Rupal  Patei 
online  producers  Todd  Borglund,  Shannon 
MacDonald,  Jennifer  McCarthy 
information  systems  dir.,  i.t.  DagmarEiben 
infrastructure  manager  James  C.  Burgoyne 
user  services  manager  Ron  Bettencourt 
sr.  user  services  specialist  Michael  Fahlsing 
sr.  i.t.  specialist  Jonathan  Frappier 
system  administrator  Robert  Reagan 
sr.  web  developers  Sean  McCracken,  Ellen  Morey 
assoc,  web  developer  Anthony  Servideo 

PRODUCTION 

vp,  manufacturing  Chris  Cuoco 
sr.  production  manager  LeeTuttle 
sr.  production  coordinator  Lisa  Stevenson 
production  coordinator  Stephanie  Naughton 

MARKETING 

evp/cmo  Cathy  O'Leary  Hayes  svp,  news  &  information 
Susan  Watson  program  administrator  Lori  Piscatelli 
publicist  Rick  Sheehy  dir.,  marketing  research 
Bridget  Cammarata  marketing  research  managers 
Carolyn  Johnson,  Dylan  DiGregorio 
sr.  dir.,  marketing  comm.  Sue  Yanovitch 
SR.  marketing  comm,  specialists 
Susan  Maloney,  Kara  Murphy 
marketing  comm,  coordinator  Lynn  Holmlund 

ADMINISTRATION 

dir.,  finance  Margarita  Chiango  finance  &  operations 
analyst  Chris  Bernardi  executive  assistant 
to  the  president  Diane  Martin  billing  specialist 
Joyce  Gillls  facilities  specialist  John  Kelley 
office  services  coordinator  Mary  E.  Wooldridge 

HUMAN  RESOURCES 

vp,  human  resources  Patricia  Chisholm 
human  resources  director  Tanya  Bureau 
sr.  hr  representative  Beth  S.  Ramistella 


1 

CXO  \  MEDIA  INC. 


international  data  group 
ceo  Pat  Kenealy 

board  chairman  Patrick  J.  McGovern 


/VBPA 

Ut  A  «  I  QUitnK 


w  o  *  1 8  w  i  b  e- 


CIO  ENTERPRISE 
VALUE  AWARDS' 


The  Resource  for 
Information  Executives 


As  an  executive  who  has  built  or  conceived  an  IT  system 
that  delivers  both  demonstrable  ROI  and  strategic  value  to 
your  organization,  you  deserve  recognition  and  praise. 

Now  in  its  14th  year,  the  CIO  Enterprise  Value  Award  will 
bring  you,  your  company  and  your  IT  organization  the 
industry  prestige  you  deserve. 


Download  the  application 
from  our  website  at 

www.cio.com/eva 

or  contact  Lynne  Rigolini 
at  508-935-4088. 

Deadline  for  entry: 

April  15,  2005 


NEW  EVENT! 

CIO  Leadership  Conference 


Part  of  the  CIO  Leadership  Agenda  2005 

May  9  &  10, 2005  •  The  Charles  Hotel  •  Cambridge,  MA 


A  burning  question  for  CIOs  is  where  will  the  next  generation  of 
IT  leaders  come  from?  The  CIO  Leadership  Conference  begins 
to  answer  that  question. 

Who  Should  Attend 

>  CIOs  who  seek  to  elevate  the  position  >  Senior  IT  staff-today’s  “up  and 

within  the  enterprise  and  who  are  defining  comers”-who  wilfassume  the  mantle  of 
what  it  will  take  to  be  the  CIO  of  the  future  IT  leadership  in  the  future 


For  more  information  and  to  register  visit 

www.cio.com/conferences  or  call  800.366.0246 


Conference  Moderator 

F.  Warren  McFarlan 

Harvard  Business  School’s 
Baker  Foundation  Professor, 
will  deliver  the  opening  keynote 
The  Once  &  Future  CIO 


Keynote  Speaker 

Clayton  Christensen 

Author  of 

The  Innovator’s  Dilemma 
and  HBS  Professor,  on 
Seeing  What’s  Next 


CIO  Executive  Council 

The  Professional  Organization  for  CIOs 


Ones  To  Watch™ 
Awards 

We’ll  also  recognize  those  future 
leaders— who  have  been  identified 
and  sponsored  by  the  CIOs  of 
today's  leading  organizations— 
with  CIO  Magazine’s  2005  Ones 
To  Watch  Award  during  a  special 
reception,  dinner  and  awards 
presentation. 


Judges 

Steve  Agnoli 

CIO,  Kirkpatrick  &  Lockhart  LLP 

Steve  Brown 

Executive  Vice  President  &  CIO, 
Carlson  Companies 

Lynn  Caddell 

Senior  Vice  President  &  CIO, 
Waste  Management,  Inc. 

Jody  Davids 

Executive  Vice  President  &  CIO, 
Cardinal  Health 

Dana  Deasy 

Senior  Vice  President  &  CIO, 
Tyco  International  Ltd. 

Joe  Drouin 

VP  &  CIO,  TRW  Automotive 

Sam  Gaer 

CIO,  New  York  Mercantile 
Exchange 

Tsvi  Gal 

Senior  Vice  President  &  CIO, 
Warner  Music  Group 

Kathy  Lane 

Senior  Vice  President  &  CIO, 
Gillette  Company 

Lars  Rabbe 

Senior  Vice  President  &  CIO, 
Yahoo!  Inc. 

Steve  Sheinheit 

CIO,  MetLife 

Sue  Unger 

Senior  Vice  President  &  CIO, 
DaimlerChrysler  AG 

Carl  Wilson 

CIO  &  Executive  Vice  President, 
Marriott  International 


Session  Highlights 


Mind  the  Gaps:  Measuring  Yourself  Against 
the  Ideal  CIO  Job  Spec 

CIO  magazine  and  the  CIO  Executive  Council  have  developed  the  “ideal  CIO 
job  spec.”  It’s  a  great  tool  to  help  up-and-comers  (and  any  CIO  who  wants  to 
continuously  improve)  expose  gaps  in  their  knowledge  and  experience.  Our 
panel  of  experts  takes  calls  from  the  field  and  questions  from  the  audience 
and  offers  advice  on  closing  those  gaps. 

How  to  Identify  and  Develop  IT  Leaders 

Three  successful  CIOs,  members  of  the  CIO  Executive  Council,  talk  through 
their  strategies  for  identifying  future  leaders  and  developing  their  IT,  business 
and  communication  skills. 

Technology  Leadership 

The  most  successful  IT  organizations  have  a  deep  understanding  of  new 
technology  and  can  linkthat  to  what  technology  can  doforthe  business. 

Our  panel  gives  us  the  benefit  of  their  experience  and  opinions. 

Featuring  Charles  S.  Brenner,  SVP,  Fidelity  Center  for  Applied  Technology, 
and  CIO  magazine  Technology  Editor  Christopher  Lindquist 

The  Must  Have  Leadership  Skills  for  Stepping  Up 

There  are  certain  key  skills  that  are  essential  to  being  successful  at  the  top 
that  not  all  CIOs  and  CIO  candidates  possess.  We’ll  cover  three  of  the  most 
important:  how  to  inspire,  motivate  and  develop  the  IT  staff;  how  to  delegate 
effectively;  and  how  to  successfully  manage  other  people’s  expectations 
-each  presented  by  an  accomplished  CIO  who  has  been  there. 

Featuring  Jeri  Dunn,  SVP&  CIO,  Tyson  Foods 

How  I  Ran  a  Business  P&L  and  What  I  Learned  in  the  Process 

A  CIO  with  an  IT  background  did  a  stint  running  a  business  division,  with 
full  P&L  responsibility,  before  eventually  returning  to  run  IT.  How  did  the 
opportunity  present  itself?  What  was  that  like?  What  were  the  key  skills  and 
experience  gained  and  lessons  learned  that  helped  make  this  executive  a 
more  successful  CIO? 


The  Resource 
for  Information 
Executives 


SALES  AND  SERVICES 


CIO  SALES  OFFICES 

President  and  CEO 

Walter  Manninen  •  508  935-4101 

Publisher 

Gary  J.  Beach  •  508  935-4202 

Executive  VP  Sales/Custom  Publishing 

Ellen  Romanow  •  508  935-4796 

EAST  COAST 

Senior  Vice  President, 

Sales  and  Integrated  Solutions/East 

Joan  Kelly  •  508  935-4586 
Regional  Sales  Director 
Kathy  Powers  •  201 634-2331 
Regional  Sales  Manager 
Ellie  Schwab  >201 634-2332 
District  Sales  Manager 
Andrew  Haney  •  508  988-7863 
Fax  •  508  879-6063 
Account  Executive 
Joan  Bonadeo  ■  201 634-2328 
Senior  Sales  Associate 
Rhonda  Goodman  •  201 634-2329 
Fax  •  201 634-9513 

NEW  ENGLAND 

Senior  Vice  President, 

Sales  and  Integrated  Solutions/East 

Joan  Kelly  *508  935-4586 

SOUTH  CENTRAL 

Regional  Director/Advertising  Sales 

Robert  E.  Sawdon  •  512  306-9801 
Account  Executive 

\Brenda  Garza  •  512  306-9801 
Fax*  512  306-9805 


NORTH  CENTRAL 

Senior  District  Sales  Manager 

Beth  DeVillez  -  847  759-2727 
Advertising  Sales  Associate 
Kim  Giovanni  •  847  759-2728 
Fax  •  847  759-2729 

WEST  COAST 

VP,  Sales  and  Integrated  Solutions/West 

Bob  Melk*  415-975-2685 

Senior  Regional  Sales  Managers 

Ai  Collins  *415  975-2686 

Regional  Sales  Manager 

Kevin  Ebmeyer  •  415  975-2684 

Account  Executive 

Derek  Jung  •  415  975-2683 

Fax  •  415  543-2358 

Senior  Sales  Associate 

Sara  Mascall  •  415  978-3385 

SOUTHERN  CALIFORNIA 

Regional  Sales  Manager 

Kevin  Ebmeyer  •  415  975-2684 


CUSTOM  PUBLISHING 

Group  Director 

Michael  Siggins  •  508  988-6763 
Director  Mary  Gregory  •  508  988-6765 
Director  of  Content  Development  Tom  Field 
Assoc,  Director  of  Content  Development 

Anne  Stuart 

Senior  Project  Manager  Amy  Greenleaf 
Project  Managers  Dawn  Cora, 

John  Danieiowich,  Jon  Heinrich 

REPRINT  SERVICES 

For  article  reprints  (500  quantity  or  more), 
please  contact  Jesse  Levy  at  PARS 
International  (212  221-9595  xl23)  or 
via  e-mail  at  jesse@parsintl.com. 

CIO  IS  PUBLISHED  IN  THE 
U.S.  AS  WELL  AS  IN: 

Australia,  CIO  Australia  www.idg.com.au 
Canada,  CIO  Canada  www.lti.on.ca/cio 
China,  CEO  &  CIO  China  www.ceocio.com.cn 
France,  CIO  France  www.idg.fr/cio 
Germany,  CIO  Germany  www.cio.de 
India,  CIO  India  91-80-521-0309/12 
Japan,  CIO  Japan  www.idg.co.jp 
The  Netherlands,  CIO  Netherlands  www.cio.nl 
New  Zealand,  CIO  New  Zealand  www.idg.co.nz 
Norway,  CIO  Business  Standard 
vmw.business-standard.no 
Poland,  CXO  Poland  www.cxo.pl 
Singapore,  CIO  ACEN/Hong-Kong 
www.idg.com.sg 

South  Korea,  CIO  Korea  www.cio.seoul.kr 
Sweden,  CIO  Sweden  www.cio.idg.se 

For  further  sales  information,  visit 

www2.cio.com/marketing/aboutdo/ 
contacts. cfm. 


LIST  SERVICES 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

ONLINE  SERVICES 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 
Online  Sales  Manager 

Michael  McPhee  *  508  935-4611 


COMPANY  INDEX 


7-Eleven  Inc . 23 

arcplan  Inc . 48 

AT&T  Corp . 70 

Banknorth  Group  Inc . 82 

Barclays  Bank  Pic . 60 

BMC  Software  Inc . 93 

Burton  Snowboards  . 23 

Business  Objects  S.A . 48 

Carlson  Restaurants  Worldwide 

Inc . 48 

CIO  Associates  . 34 

CKE  Restaurants  Inc . 48 

Cognos  Inc . 48 

Compaq  Computer  Corp.  ...  48 
Computer  Associates  International 

Inc . 93 

Counterpane  Internet  Security 

Inc . 70 

CUNA  Mutual  Group . 70 

Cutter  Consortium  . 60 

Deloitte  Touche  Tohmatsu  ...  23 

Deutsche  Bank  AG  . 82 

Diebold  Inc . 23 

Dow  Chemical  Co.,  The . 93 

Forrester  Research  Inc . 93 

Gartner  Inc . 48,  93 


Groove  Networks  Inc . 23 

Hardee's  Food  Systems  Inc.  .  .  48 

Hewlett-Packard  Co . 93 

HVS  International  . 48 

HyPerformix  Inc. . 93 

Hyperion  Solutions  Corp!  ...  48 

IBM  Corp . 48,  82,  93 

I  DC  . 48,  93 

Identify  Software  Ltd . 93 

Information  Builders  Inc . 48 

J.P.  Morgan  Chase  &  Co.  ...  93 

Kaiser  Permanente  . 82 

Marriott  International  Inc.  ...  12 

Marshall  &  Swift  . 93 

McCann  WorkGroup  . 60 

Mercury  Interactive  Corp.  ...  93 

Meta  Group  Inc . 70 

Microsoft  Corp . 48,  70 

MicroStrategy  Inc . 48 

Motorola  Inc . 23,  70 

Nasdaq  Stock  Market  Inc.,  The 

. 60 

Nationwide  . 70 

optionsXpress  Holdings  Inc.  .  ,  93 

Oracle  Corp . 48,  70,  93 

ProactiveNet  Inc . 93 

Ruby  Tuesday  Inc . 48 

SANS  Institute,  The . 70 


93 

Shuffle  Master  Inc . 93 

Sophos  PLC  . 70 

State  Street  Corp . 82 

Sybase  Inc . 48 

Technology  Partners  International 

Inc . 23 

Tower  Group  Inc . 82 

Wendy’s  International  Inc.  ...  48 

WesCorp . 70 

Wily  Technology  Inc . 93 

ADVERTISER  INDEX 

3Com  Corp . 81 

Akamai  Technologies  Inc . 6 

American  Power  Conversion  .  .  77 

Citrix  Systems  Inc . 37 

Compuware . 39 

CXO  Media  Inc .  42,  59,  90, 

. 103, 104, 107 

Dell  Inc . . 89,  91 

EMC2  Corp .  95,  97,  99 

Fujitsu  Computer  Systems  Corp. 

. 25 

Hewlett-Packard  Co . C2,  63 

IBM  Corp . 2,  32,  45 

infoUSA.com  Inc . 29 


Internet  Security  Systems  ...  41 
Japan  External  Trade  Organization 

(JETRO) . 75 

KODAK  Service  &  Support  .  .  31 

Lee  Technologies . .  69 

Microsoft  Corp . 9,  20,  87 

MRO  Software  Inc . 101 

NetlQ  Corp . 4 

Oracle  Corp.  . . 27 

Polycom  Inc.  . . 15 

Primavera  Systems  Inc . 35 

Remedy,  a  BMC  Software  company 

-  . 67 

Riverbed  Technology  Inc.  ...  85 

SAS . 22 

Siebel  Systems  Inc . 57 

Siemens  Corp . 17 

Softtek . 92 

Sprint  . C4 

Sun  Microsystems  Inc . C3 

Sungard  Availability  Services 

...  79 
...  19 
...  52 
.  .  28a 
...  13 
...  47 
10,  55 


INDEX  OF  COMPANIES  AND  ADVERTISERS 


Page  numbers  refer  to  the  first  page  of  the  article(s)  in  which  the  company  has  a  substantial  mention. 

This  index  is  provided  as  a  service  to  readers.  The  publisher  does  not  assume  any  liability  for  errors  or  omissions. 

SAP  AG 


Symantec  Corp . 

Trend  Micro  Inc . 

Troux  Technologies  Inc. 

VeriSign  inc . 

Veritas . 

Xerox  Corp . 


CIO  CONTACT 
INFORMATION 

Editorial,  Advertising  and  Business 
Offices:  CXO  Media  Inc.,  492  Old 
Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208, 

508  872-0080. 

CIO  (ISSN  0894-9301)  is  published 
semimonthly  and  as  a  combined 
issue  Dec.  15/Jan.  1  by  CXO  Media 
Inc.  Periodicals  postage  paid  at 
Framingham,  MA,  and  at  additional 
mailing  offices.  Canada  Publications 
Mail  Agreement  Number  1902075, 
CANADIAN  POSTMASTER:  Please 
return  undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A  709. 

Permissions:  Copyright  2005  by 
CXO  Media  Inc.  Ail  rights  reserved, 
Reproduction  of  material  appearing 
in  CIO  is  forbidden  without  written 
permission.  Send  all  requests  to 
Permissions  Department,  CIO, 

492  Old  Connecticut  Path, 

P.O.  Box  9208,  Framingham,  MA 
01701-9208. 

Photocopy  Rights:  Permission  to 
photocopy  for  internal  or  personal 
use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CIO  for 
users  through  the  Copyright  Clear¬ 
ance  Center,  provided  that  the  base 
fee  of  $3  per  copy  of  the  article,  plus 
$.50  per  page  is  paid  directly  to 
Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does  not 
extend  to  contributed  articles 
followed  by  this  symbol:  f, 

Subscriptions:  CIO  is  free  to 
qualified  information  executives.  To 
apply,  use  our  online  subscription 
form  at  www.subscribe.cio.com. 
Subscriptions  are  also  available  on  a 
paid  basis  at  a  rate  of  $95  for  the 
United  States  and  Canada,  $195 
international  (payable  in  U.S.  funds 
only)  and  may  be  ordered  online  at 
www.subscribe.cio.com/services.htmi. 
Or  address  inquiries  to  C/O,  P.O. 

Box 489,  Northbrook,  IL  60065- 
0489;  866  354-1125.  Please  allow 
four  to  six  weeks  for  a  new  subscrip¬ 
tion  to  begin.  The  single  copy  price 
is  $9  for  the  United  States  and 
Canada,  and  $15  International, 
Prepayment  is  required,  payable  in 
U.S.  funds. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio  and 
follow  the  online  instructions. 

Postmaster:  Send  change  of 
address  to  CIO,  P.O.  Box  489, 
Northbrook,  IL  60065-9816. 

Printed  in  the  U.S. A. 


1  0  6 


MARCH  15,  200  5  |  www.cio.com 


CIO  LEADERSHIP 

THE  BOOK 


Travel  the  path 
to  leadership  with  CIOs 
who  have  been  there... 


Targeted  essays  on  how  to  be  a  better  IT  leader. 

•  Essential  skills  and  career  planning 

•  Strategic  planning  and  alignment 

•  Staff  management 

•  Influence  and  negotiation 

•  Executive  relations  and  politics...  and  more 

Drawn  from  the  real-world  experience  of  veteran 
CIO  columnists: 

•  Patricia  Wallington,  Former  CIO  of  Xerox 

•  Jerry  Gregoire,  Retired  CIO  of  Dell  Computer 

•  Susan  Cramm,  Executive  Coach,  Former  CIO  of 
Taco  Bell 

•  Christopher  Hoenig,  Managing  Director  of 
Strategic  Issues  for  the  U.S.  Government 
Accountability  Office 


THE  ESSENTIAL 


Leadership  Strategies  for  Personal 
and  Professional  Success 


Targeted  essays  from  CIO  magazine 

Edited  by  Richard  Pastore 
and  Edward  Prewitt 


Now  available  in  hardcover  at 

The  CIO  Store 


The  Resource 
for  Information 
Executives 


FOR  EXECUTIVE  DECISION-SUPPORT  TOOLS,  VISIT  THE  CIO  STORE-THE  CIO'S  KNOWLEDGE  MARKETPLACE. 

www.TheCIOStore.com 


0315.05  EXECUTIVE  summaries 


Nasdaq  CIO  STEVE  RANDICH  relies  on 
regular  tests  of  his  data  center’s  business 
continuity  plans  to  remind  his  staff  that 
ERM  is  core  to  the  organization. 


48  I  COVER  STORY 

THE  BRAIN  BEHIND  THE  BIG,  BAD  BURGER 
AND  OTHER  TALES  OF  BUSINESS  INTELLIGENCE 

BUSINESS  INTELLIGENCE  (BI)  software— the  assembly  of  applications  that  aggregate 
and  analyze  an  organization’s  information  to  extract  useful  insights— has  been  a  disap¬ 
pointment  in  most  industries,  mainly  because  of  their  failure  to  implement  and  use  it 
properly.  But  in  the  food  industry,  restaurant  chains  such  as  Hardee’s,  Wendy’s,  Ruby 
Tuesday,  T.G.I.  Friday’s  and  others  have  been  heavy  users  of  BI  software  for  years.  And, 
bucking  the  trend,  they  are  actually  getting  real  nourishment  from  it.  The  industry  has 
employed  it  successfully  to  make  strategic  decisions  about  which  products  to  add  to  their 
menus,  which  dishes  to  remove  and  which  underperforming  restaurants  to  close.  They 
also  use  BI  for  tactical  matters,  such  as  negotiating  contracts  with  suppliers  and  identi¬ 
fying  opportunities  to  improve  inefficient  processes.  Their  success  is  owed  to  keeping 
BI  initiatives  closely  aligned  with  business  strategies,  and  they’ve  developed  ways  to 
leap  BI’s  three  highest  hurdles:  vast  quantities  of  irrelevant  data,  poor  data  quality  and 
user  resistance.  By  Meridith  Levinson 


E 


60  I  RUNNING  THE  RISK 

nterprise  risk  management 
(ERM)  creates  a  single  view  of 
all  risk  and  an  executive-level 
strategy  to  deal  with  it.  Done  right, 
ERM  will  lead  to  better  decisions 
about  IT  investments,  better  manage¬ 
ment  of  those  systems  and  more  value 
from  IT— all  while  reducing  potential 
losses.  So  why  aren’t  more  companies 
doing  ERM?  Because  they  are  unclear 
about  the  returns.  Making  the  case  for 
ERM  requires  a  leader  with  intimate 
knowledge  of  an  enterprise’s  critical 
operations,  their  interdependencies 
and  their  reliance  on  IT.  Sounds  like 
a  CIO,  doesn’t  it?  IT  leaders  at  NASA, 
Nasdaq  and  Barclays  Bank  took  up  the 
challenge,  employing  a  strategy  built 
from  a  handful  of  basic  bricks.  First, 
the  CIO  must  be  inspired  to  lead  the 
charge.  Then,  he  has  to  define  and  tai¬ 
lor  the  ERM  message  for  each  group 
of  constituents.  The  strategy  must  be 
flexible— and  the  CIO  patient— as  the 
move  to  an  ERM  culture  takes  time. 
And  the  CIO  must  get  out  of  the  office 
to  evangelize.  By  Allan  Holmes 


70  |  HOW  TO  SAVE  THE  INTERNET 

DUE  TO  THE  VIRUSES,  phishing,  spying  and  spamming  that  increasingly  plague  it, 
the  eventual  demise  of  the  Internet  as  a  commercial  medium  is  a  very  real  possibility. 

The  information  security  complex— vendors,  researchers,  developers,  consultants,  the 
government  and  you— has  demonstrated  remarkably  little  will  to  do  anything  meaningful 
to  make  the  Internet  more  secure.  Instead,  we  fight  fires,  pointing  hoses  at  uncontrolled 
blazes,  sometimes  inventing  new  hoses  but  never  really  dousing  the  flames  and  never  get¬ 
ting  at  the  conflagration’s  source.  That’s  why  we  decided  to  troll  the  infosecurity  community 
for  big  ideas  on  how  to  fix,  or  begin  to  fix,  this  problem  at  the  macro  level.  Our  rules  were 
simple:  Experts  could  suggest  any  big  idea  that  they  believe  could  improve  information 
security  in  a  profound  way,  and  they  were  not  restricted  to  currently  available  technologies. 
The  more  than  a  dozen  solutions  we  assembled  cover  a  broad  spectrum  of  practicability, 
but  all  represent  fresh  thinking  on  how  ultimately  to  save  the  Internet.  By  Scott  Berinato 

82  |  A  HIGHER  POWER 

STATE  STREET  HAS  BEEN  LAUDED  for  its  IT  governance  practices.  Its  structure  is 
composed  of  committees  through  which  decisions  cascade.  Those  business  strategies 
drive  IT  policy,  and  policy  drives  IT  execution.  Good  governance  has  been  more  important 
than  ever  for  State  Street  in  guiding  the  struggling  company  through  its  integration  of  the 
recently  acquired  Deutsche  Bank  Global  Securities  Services.  The  challenge  for  State  Street’s 
IT  department  was  to  migrate  11,000  Deutsche  Bank  customer  portfolios,  taking  cost  out 
of  the  acquisition  by  eliminating  as  many  of  Deutsche  Bank’s  IT  systems  as  possible— all 
while  maintaining  a  high  level  of  customer  service.  The  governance  committees  set  clear 
criteria  to  guide  decision  making  for  the  Integration  Project  Management  Office,  including 
placing  a  high  priority  on  any  work  relevant  to  converting  portfolios  and  retiring  costly 
systems.  These  groups  also  made  decisions  about  which  systems  to  retain  and  which  to 
adopt.  In  the  end,  State  Street’s  $1.5  billion  acquisition  has  been  recognized  as  one  of  the 
more  successful  integrations  in  the  financial  services  industry  by  virtue  of  the  economies 
of  scale  reaped  and  the  percentage  of  revenue  retained.  By  Sarah  D.  Sea  let 


108 


MARCH  15,  2005  |  www.cio.com 


PHOTO  BY  EVAN  KAFKA 


*fcl« 


76  %  FASTER 

BECAUSE  WE’RE 

100%  COMMITTED 

TO  BUILDING 
BUSINESS  SYSTEMS 

(NOT  CUTE  MP3  PLAYERS,  PRINTERS,  AND  CAMERAS.) 


8%  - 


microsystems 

The  Network  is  the  Computer 


SUN  FIRE™  SERVERS  WITH  AMD  OPTERON™  PROCESSORS. 

UP  TO  76%  FASTER’  THAN  THE  COMPETITION  AND  35%  LOWER  COST 

_ 

Sun  delivers  extreme  performance  at  an  unbeatable  price.  Choose  the  2-way  Sun  Fire™  V20z  server  or  the  4-way  Sun  |aMD 
Fire  V40z  server,  and  you’ll  get  the  advanced  power  and  flexibility  of  the  AMD  Opteron™  800  or  200  series  processor, 
plus  the  ability  to  run  your  choice  of  operating  systems,  including  Solaris™ OS  and  Red  Hat  Linux,  in  either  32-bit  or 
64-bit  mode.  Add  world-class  Sun  service  and  support,  and  you  have  the  competition-crushing  server  solution  your  Opteron 
business  demands.  Learn  more  at  sun.com/amd 


’The  comparison  presented  above  is  based  on  the  IBM  eServer  xSeries  365  (4x  3.0GHz  Intel  Xeon  MP)  result  of  261  6  conforming  connections  and  Sun  Fire  V40z  server  (4x  AMD  Opteron  850) 
result  of  4608  conforming  connections  on  SPECweb99_SSL  benchmark,  as  of  1 2/08/04.  SPEC  and  the  benchmark  name  SPECweb99_SSL  are  registered  trademarks  of  the  Standard 
Performance  Evaluation  Corporation.  For  the  latest  SPECweb99_SSL  benchmark  results,  visit  www.spec.org.  2Source:  DH  Brown  Pricing  Configurator  dated  1 1/3/04.  4x  3.0GHz/8GB  memory 
using  1GB  DIMMs/2x  73GB  (10K)  disks/DVD/2  redundant  power  supplies/OS. 

c  2005  Sun  Microsystems,  Inc.  All  rights  reserved.  Sun,  Sun  Microsystems,  the  Sun  logo,  Sun  Fire,  and  Solaris  are  trademarks  or  registered  trademarks  of  Sun  Microsystems,  Inc.  in  the  United  States 
and  other  countries.  AMD,  the  AMD  Arrow  logo,  AMD  Opteron,  and  combinations  thereof  are  registered  trademarks  of  Advanced  Micro  Devices,  Inc. 


No  one  gets  more  work  done  on  a  golf  course  than  The  PGA  of  America.  Which  is  why  The 
PGA  turns  to  Sprint  for  a  customized  network  to  help  seamlessly  connect  the  course  to  the 
rest  of  the  world.  The  Sprint  solution  is  a  fully  integrated  wireless  and  wireline  network  that 
enables  the  media  to  send  large  digital  files  quickly  and  keeps  business  professionals  connected 
to  their  offices  -  at  broadband  speeds.  All  this  and  Sprint  reduced  The  PGA's  network  setup 
costs  by  33%.  Conducting  business  as  usual  while  on  a  golf  course  -  now  that's  beautiful. 
With  Sprint,  business  is  beautiful.SM 

>  Visit  Sprint.com/beautiful  for  case  studies  or  call  877-777-5568  >  Wireless.  Data.  Voice.  IP 


©2005  Sprint.  All  rights  reserved.  Sprint  and  the  diamond  logo  are  trademarks  of  Sprint  Communications  Company  L.P. 


